======================================= Sat, 11 Jul 2026 - Debian 13.6 released ======================================= apache2 (2.4.68-1~deb13u1) trixie; urgency=medium . * New upstream version (Closes: CVE-2026-29167, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186, CVE-2026-44631, CVE-2026-48913) * Drop CVE-2026-49975_*, now included in upstream * Update debian/convert_docs * Update test framework apache2 (2.4.68-1~deb12u1) bookworm; urgency=medium . * New upstream version (Closes: CVE-2026-29167, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186, CVE-2026-44631, CVE-2026-48913, CVE-2026-49975) * Drop CVE-2026-49975_1.patch, now included in upstream * Drop CVE-2026-49975_2.patch, now included in upstream * Update debian/convert_docs * Update test framewaork apache2 (2.4.67-2) unstable; urgency=medium . * Fix a typo in NEWS file (Closes: #1135096) * Fix CVE-2026-49975 (HTTP/2 Bomb) The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it. apache2 (2.4.67-1) unstable; urgency=medium . * New upstream release (Closes: #1135737, CVE-2026-23918, CVE-2026-24072, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059) * Refresh patches apache2 (2.4.67-1~deb13u3) trixie-security; urgency=medium . * Fix CVE-2026-49975 (HTTP/2 Bomb) The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it. archlinux-keyring (0~20260420-1~deb13u1) trixie; urgency=medium . * gbp.conf: set branch to debian/trixie * salsa-ci.yml: set release to trixie . archlinux-keyring (0~20260420-1) unstable; urgency=medium . * Update standards version to 4.7.4 * Fix version mangling in debian/watch * New upstream version 0~20260420 . archlinux-keyring (0~20251116-1) unstable; urgency=medium . * New upstream version 0~20251116 * Fix debian/watch to also set dversionmangle and upgrade to v5 . archlinux-keyring (0~20250716-1) unstable; urgency=medium . * Add gbp.conf * New upstream version 0~20250716 archlinux-keyring (0~20251116-1) unstable; urgency=medium . * New upstream version 0~20251116 * Fix debian/watch to also set dversionmangle and upgrade to v5 archlinux-keyring (0~20250716-1) unstable; urgency=medium . * Add gbp.conf * New upstream version 0~20250716 atril (1.26.2-4+deb13u1) trixie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2026-46529: command line argument injection (Closes: #1139874) awstats (7.9-1+deb13u2) trixie; urgency=medium . * Add upstream patch to fix freeze on keyword stat (Closes: #1135203) base-files (13.8+deb13u6) trixie; urgency=medium . * Update debian_version and os-release for Debian 13.6 point release. beets (2.2.0-3+deb13u1) trixie; urgency=medium . * Add patch to fix xss vulnerability CVE-2026-42052 in web ui (Closes: #1135779) * Add patch with test for unsafe web ui input bind9 (1:9.20.23-1~deb13u1) trixie-security; urgency=high . * New upstream version 9.20.23 + [CVE-2026-3592]: Limit resolver server list size. + [CVE-2026-3039]: Fix GSS-API resource leak. + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN views. + [CVE-2026-5950]: Avoid unbounded recursion loop. + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses are received under load. + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. bind9 (1:9.20.23-1~deb13u1~bpo12+1) bookworm-backports; urgency=medium . * Rebuild for bookworm-backports. bind9 (1:9.20.22-1) unstable; urgency=medium . * New upstream version 9.20.22 bind9 (1:9.20.21-1) unstable; urgency=high . * New upstream version 9.20.21 - [CVE-2026-1519]: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. - [CVE-2026-3104]: Fix memory leaks in code preparing DNSSEC proofs of non-existence. - [CVE-2026-3119]: Prevent a crash in code processing queries containing a TKEY record. - [CVE-2026-3591]: Fix a stack use-after-return flaw in SIG(0) handling code. bird2 (2.17.5-0+deb13u1) trixie-security; urgency=medium . * New upstream release. bird2 (2.17.3-2) unstable; urgency=medium . * bird.service: fix the Environment directive. (Closes: #1123567) bird2 (2.17.3-1) unstable; urgency=medium . * New upstream release. * New maintainer. * Use Restart=on-abnormal instead of on-abort. (Closes: #1099513) * Do not install an example /etc/bird/bird.conf anymore, because there is no useful BIRD configuration that can be enabled by default. * Create /etc/bird/ with standard permissions: the local admin can use appropriate permission for bird.conf if access to it needs to be restricted. * Create the bird user with no home directory for added security. bird2 (2.17.2-1) unstable; urgency=medium . * New upstream version 2.17.2 * Update debian/watch for new BIRD download URL bird3 (3.1.7-0+deb13u1) trixie-security; urgency=medium . * New upstream release. bird3 (3.1.5-2) unstable; urgency=medium . * bird.service: fix the Environment directive. bird3 (3.1.5-1) unstable; urgency=medium . * New upstream release. * New maintainer. * Use Restart=on-abnormal instead of on-abort. (Closes: #1099513) * Do not install an example /etc/bird/bird.conf anymore, because there is no useful BIRD configuration that can be enabled by default. * Create /etc/bird/ with standard permissions: the local admin can use appropriate permission for bird.conf if access to it needs to be restricted. * Create the bird user with no home directory for added security. bird3 (3.1.4-1) unstable; urgency=medium . * New upstream version * Update debian/watch for new BIRD download URL calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium . * Fix security vulnerabilities and code quality issues (Closes: #1135543) * CVE-2026-30853: RB Input: Ensure files are extracted within container dir * CVE-2026-33205 (1/2): E-book viewer: prevent reading background images from outside the config dir * CVE-2026-33205 (2/2): E-book viewer: Disallow background images from the internet. This was an unused feature anyway * CVE-2026-33206: TXT Input: Ensure resource files are read only from book contents ceph (18.2.7+ds-1+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * mgr/alerts: enforce ssl context to SMTP_SSL (CVE-2024-31884) (Closes: #1126573) * Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty (CVE-2024-47866) (Closes: #1120797) chromium (150.0.7871.100-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE list still to be announced. * debian/patches/ungoogled/remove-navigation-source-param.patch: fix crash related to the previous version's resynch. Thanks to plmaneo for the suggested patch (closes: #1141488). chromium (150.0.7871.100-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE list still to be announced. * debian/patches/ungoogled/remove-navigation-source-param.patch: fix crash related to the previous version's resynch. Thanks to plmaneo for the suggested patch (closes: #1141488). chromium (150.0.7871.46-1) unstable; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-13774: Use after free in Extensions. Reported by Google. - CVE-2026-13775: Use after free in GPU. Reported by Google. - CVE-2026-14398: Use after free in ANGLE. Reported by Google. - CVE-2026-13776: Type Confusion in Dawn. Reported by Google. - CVE-2026-13777: Insufficient validation of untrusted input in iOSWeb. Reported by Google. - CVE-2026-13778: Use after free in WebUSB. Reported by Google. - CVE-2026-13779: Use after free in Chromoting. Reported by Google. - CVE-2026-13780: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13781: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14417: Use after free in Dawn. Reported by Google. - CVE-2026-13782: Use after free in Browser. Reported by Google. - CVE-2026-13783: Use after free in Views. Reported by Google. - CVE-2026-13784: Use after free in Views. Reported by Google. - CVE-2026-14419: Use after free in Skia. Reported by Google. - CVE-2026-13785: Use after free in Bluetooth. Reported by Google. - CVE-2026-14420: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-13786: Use after free in Ozone. Reported by Google. - CVE-2026-14427: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-13787: Use after free in Chromoting. Reported by Google. - CVE-2026-13788: Use after free in Fullscreen. Reported by Google. - CVE-2026-14382: Insufficient validation of untrusted input in ANGLE. Reported by anonymous. - CVE-2026-13790: Side-channel information leakage in Scroll. Reported by Vsevolod Kokorin (Slonser) of Solidlab and Jorian Woltjer. - CVE-2026-14385: Heap buffer overflow in ANGLE. Reported by Thomas Guillem . - CVE-2026-13791: Insufficient validation of untrusted input in Downloads. Reported by Ron Masas (Imperva). - CVE-2026-13792: Use after free in Touchbar. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-13793: Insufficient policy enforcement in SVG. Reported by pakhunov.anton.n@gmail.com. - CVE-2026-14392: Out of bounds write in Tint. Reported by FastPL Group, Imperial College London. - CVE-2026-13794: Insufficient validation of untrusted input in WebAppInstalls. Reported by Daniel Rodríguez. - CVE-2026-14422: Out of bounds read and write in Tint. Reported by Michal Andryskowski. - CVE-2026-13795: Insufficient policy enforcement in Chrome for iOS. Reported by maitai. - CVE-2026-14426: Use after free in V8. Reported by ywatanabee. - CVE-2026-13796: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13797: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-14386: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13798: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-13799: Use after free in QUIC. Reported by Google. - CVE-2026-13800: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-13801: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13802: Use after free in Views. Reported by Google. - CVE-2026-13803: Type Confusion in Chrome Tabs. Reported by Google. - CVE-2026-13804: Use after free in Chromecast. Reported by Google. - CVE-2026-13805: Use after free in GFX. Reported by Google. - CVE-2026-14390: Use after free in ANGLE. Reported by Google. - CVE-2026-13806: Insufficient validation of untrusted input in Accessibility. Reported by Google. - CVE-2026-13807: Use after free in Import. Reported by Google. - CVE-2026-13808: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-13809: Side-channel information leakage in Safe Browsing. Reported by Google. - CVE-2026-13810: Inappropriate implementation in Input. Reported by dilipsc03@gmail.com. - CVE-2026-13811: Use after free in IME. Reported by Google. - CVE-2026-13812: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13813: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13814: Use after free in Views. Reported by Google. - CVE-2026-13815: Use after free in Blink. Reported by Google. - CVE-2026-13816: Insufficient validation of untrusted input in File Input. Reported by Google. - CVE-2026-14396: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13817: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-13818: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13819: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13820: Out of bounds read in Skia. Reported by Google. - CVE-2026-14400: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14401: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14402: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13821: Use after free in Canvas. Reported by Google. - CVE-2026-13822: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-13823: Use after free in Glic. Reported by Google. - CVE-2026-13824: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13825: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13826: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13827: Use after free in Updater. Reported by Google. - CVE-2026-13828: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-13829: Insufficient validation of untrusted input in Settings. Reported by Google. - CVE-2026-13830: Use after free in Chromoting. Reported by Google. - CVE-2026-13831: Use after free in GPU. Reported by Google. - CVE-2026-13832: Use after free in Headless. Reported by Google. - CVE-2026-14411: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13833: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14412: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14413: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13834: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13835: Inappropriate implementation in XML. Reported by Google. - CVE-2026-13836: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13837: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13838: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13839: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13840: Insufficient policy enforcement in Canvas. Reported by Binglin Song. - CVE-2026-13841: Integer overflow in Skia. Reported by Google. - CVE-2026-13842: Incorrect security UI in Chrome for iOS. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-14418: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13843: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13844: Use after free in Updater. Reported by Google. - CVE-2026-13845: Use after free in DOM. Reported by Google. - CVE-2026-13846: Use after free in USB. Reported by Google. - CVE-2026-13847: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13848: Use after free in Forms. Reported by Google. - CVE-2026-13849: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14423: Type Confusion in Tint. Reported by Google. - CVE-2026-13850: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14424: Use after free in Dawn. Reported by Google. - CVE-2026-14425: Use after free in ANGLE. Reported by Google. - CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14428: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14429: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14430: Integer overflow in V8. Reported by Google. - CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13853: Use after free in Journeys. Reported by Google. - CVE-2026-13854: Use after free in Ozone. Reported by Google. - CVE-2026-14431: Type Confusion in V8. Reported by OpenAI Codex Security (amyb). - CVE-2026-13855: Use after free in Ozone. Reported by Google. - CVE-2026-13856: Insufficient validation of untrusted input in Speech. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-13857: Inappropriate implementation in Geometry. Reported by Luan Herrera (@lbherrera_). - CVE-2026-13858: Out of bounds read in FFmpeg. Reported by Wongi Lee (@_qwerty_po) of Theori with Xint Code, Jungwoo Lee (@physicube). - CVE-2026-13859: Inappropriate implementation in ANGLE. Reported by Jason Villaluna. - CVE-2026-14391: Integer overflow in ANGLE. Reported by Quac Tran. - CVE-2026-13860: Incorrect security UI in Autofill. Reported by Khalil Zhani. - CVE-2026-14408: Uninitialized Use in Dawn. Reported by Chrovus. - CVE-2026-14381: Incorrect security UI in WebAppInstalls. Reported by Hafiizh. - CVE-2026-14383: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13861: Use after free in Core. Reported by Google. - CVE-2026-13862: Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys). Reported by Google. - CVE-2026-13863: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13864: Insufficient policy enforcement in WebHID. Reported by Google. - CVE-2026-13865: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13866: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-13867: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-13868: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14384: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13869: Use after free in Device. Reported by Google. - CVE-2026-13870: Use after free in WebView. Reported by Google. - CVE-2026-13871: Insufficient data validation in GuestView. Reported by Google. - CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13873: Out of bounds memory access in Layout. Reported by Google. - CVE-2026-13874: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13875: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-13876: Inappropriate implementation in Network. Reported by Google. - CVE-2026-13877: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13878: Use after free in Bluetooth. Reported by Google. - CVE-2026-13879: Use after free in Bluetooth. Reported by Google. - CVE-2026-13880: Use after free in USB. Reported by Google. - CVE-2026-13881: Insufficient data validation in WebAppInstalls. Reported by Google. - CVE-2026-13882: Inappropriate implementation in USB. Reported by Google - CVE-2026-13883: Type Confusion in ANGLE. Reported by Google. - CVE-2026-13884: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-14387: Integer overflow in Skia. Reported by Google. - CVE-2026-13885: Use after free in Skia. Reported by Google. - CVE-2026-13886: Policy bypass in Isolated Web Apps. Reported by Google. - CVE-2026-14388: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-14389: Integer overflow in Skia. Reported by Google. - CVE-2026-13887: Insufficient policy enforcement in NFC. Reported by Google. - CVE-2026-13888: Use after free in Extensions. Reported by Google. - CVE-2026-13889: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-13890: Out of bounds read in Chromecast. Reported by Google. - CVE-2026-13891: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13892: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13893: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-13894: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-13895: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13896: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-13897: Insufficient policy enforcement in Chromecast. Reported by Google. - CVE-2026-13898: Use after free in Cast Receiver. Reported by Google. - CVE-2026-13899: Use after free in HTML. Reported by Google. - CVE-2026-13900: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-13901: Insufficient validation of untrusted input in Serial. Reported by Google. - CVE-2026-13902: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13903: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-13904: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13905: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13906: Out of bounds read in Codecs. Reported by Google. - CVE-2026-13907: Inappropriate implementation in iOSWeb. Reported by Google. - CVE-2026-13908: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-13909: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-13910: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-13911: Insufficient data validation in Spellcheck. Reported by Google. - CVE-2026-13912: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13913: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-13914: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13915: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13916: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13917: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13918: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13919: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-14393: Use after free in V8. Reported by Google. - CVE-2026-13920: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-13921: Insufficient validation of untrusted input in DeviceBoundSessionCredentials. Reported by Google. - CVE-2026-13922: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-13923: Uninitialized Use in GPU. Reported by Google. - CVE-2026-14397: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-13924: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-13925: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-13926: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-13927: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-13928: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13929: Insufficient validation of untrusted input in DevTools. Reported by LegioSec. - CVE-2026-13930: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-13931: Inappropriate implementation in Media. Reported by Google. - CVE-2026-13932: Inappropriate implementation in Sharing. Reported by Google. - CVE-2026-13933: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13934: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14399: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13935: Side-channel information leakage in ComputePressure. Reported by Google. - CVE-2026-13936: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13937: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13938: Integer overflow in Fonts. Reported by Google. - CVE-2026-13939: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-13940: Uninitialized Use in Cast. Reported by Google. - CVE-2026-13941: Inappropriate implementation in SiteSettings. Reported by Google. - CVE-2026-13942: Insufficient validation of untrusted input in Video Capture. Reported by Google. - CVE-2026-13943: Uninitialized Use in CSS. Reported by Google. - CVE-2026-13944: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13945: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13946: Inappropriate implementation in ScriptInjections. Reported by Google. - CVE-2026-13947: Uninitialized Use in XR. Reported by Google. - CVE-2026-13948: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13949: Insufficient policy enforcement in Payments. Reported by Google. - CVE-2026-14404: Inappropriate implementation in PDFium. Reported by Google. - CVE-2026-13950: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13951: Policy bypass in USB. Reported by Google. - CVE-2026-13952: Inappropriate implementation in PerformanceAPIs. Reported by Google. - CVE-2026-14406: Out of bounds read in V8. Reported by Google. - CVE-2026-13953: Inappropriate implementation in SplitView. Reported by Google. - CVE-2026-13954: Insufficient policy enforcement in XML. Reported by Google. - CVE-2026-13955: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13956: Incorrect security UI in PageInfo. Reported by Google. - CVE-2026-13957: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13958: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14407: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13959: Insufficient validation of untrusted input in Blink. Reported by Google. - CVE-2026-13960: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13961: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13962: Insufficient data validation in PDF. Reported by Google - CVE-2026-13963: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-13964: Insufficient policy enforcement in WebView. Reported by Google. - CVE-2026-13965: Use after free in Oilpan. Reported by Google. - CVE-2026-13966: Inappropriate implementation in History. Reported by Google. - CVE-2026-13967: Type Confusion in V8. Reported by Google. - CVE-2026-13968: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13969: Uninitialized Use in UI. Reported by Google. - CVE-2026-13970: Uninitialized Use in Media. Reported by Google. - CVE-2026-13971: Uninitialized Use in Skia. Reported by Google. - CVE-2026-13972: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13973: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13974: Integer overflow in Safe Browsing. Reported by Google. - CVE-2026-13975: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13976: Heap buffer overflow in Storage. Reported by Google. - CVE-2026-13977: Inappropriate implementation in HTMLParser. Reported by Google. - CVE-2026-13978: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-14414: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-13979: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13980: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13981: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13982: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-13983: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13984: Incorrect security UI in TabStrip. Reported by Google. - CVE-2026-13985: Inappropriate implementation in MediaCapture. Reported by Google. - CVE-2026-13986: Inappropriate implementation in Media UI. Reported by Google. - CVE-2026-13987: Incorrect security UI in Mobile. Reported by Google. - CVE-2026-13988: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13989: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-13990: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-13991: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13992: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13993: Incorrect security UI in WebAppInstalls. Reported by Google. - CVE-2026-13994: Inappropriate implementation in Credential Management. Reported by Google. - CVE-2026-13995: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-13996: Incorrect security UI in Permissions. Reported by Google. - CVE-2026-13997: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13998: Incorrect security UI in File Input. Reported by Google - CVE-2026-13999: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14000: Inappropriate implementation in XML. Reported by Google - CVE-2026-14001: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14002: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-14003: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14004: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14005: Use after free in Omnibox. Reported by Google. - CVE-2026-14006: Use after free in Navigation. Reported by Google. - CVE-2026-14007: Insufficient policy enforcement in PermissionsPolicy. Reported by Google. - CVE-2026-14008: Uninitialized Use in WebXR. Reported by Google. - CVE-2026-14009: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-14010: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14011: Out of bounds read in SurfaceCapture. Reported by Google. - CVE-2026-14421: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-14012: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14013: Inappropriate implementation in SVG. Reported by Google - CVE-2026-14014: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-14015: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-14016: Insufficient policy enforcement in SVG. Reported by Google. - CVE-2026-14017: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-14018: Use after free in Updater. Reported by Google. - CVE-2026-14019: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-14020: Insufficient validation of untrusted input in WebXR. Reported by Google. - CVE-2026-14021: Insufficient validation of untrusted input in StorageAccessAPI. Reported by Google. - CVE-2026-14022: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14023: Insufficient validation of untrusted input in SanitizerAPI. Reported by Google. - CVE-2026-14024: Use after free in Ozone. Reported by Google. - CVE-2026-14432: Use after free in V8. Reported by Google. - CVE-2026-14025: Use after free in Views. Reported by asjidkalam. - CVE-2026-14026: Incorrect security UI in SplitView. Reported by adisahilna35@gmail.com. - CVE-2026-14027: Use after free in SignIn. Reported by Sven Dysthe (@svn-dys). - CVE-2026-14028: Incorrect security UI in Chrome for iOS. Reported by Ameen Basha M K. - CVE-2026-14030: Incorrect security UI in SplitView. Reported by Khalil Zhani. - CVE-2026-14031: Incorrect security UI in File Input. Reported by Google - CVE-2026-14032: Use after free in Bluetooth. Reported by Google. - CVE-2026-14033: Insufficient policy enforcement in Media. Reported by Google. - CVE-2026-14034: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14035: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14036: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14037: Insufficient policy enforcement in GPU. Reported by Google. - CVE-2026-14038: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-14039: Insufficient policy enforcement in GetUserMedia. Reported by Google. - CVE-2026-14040: Use after free in BrowserTag. Reported by Google. - CVE-2026-14041: Insufficient policy enforcement in Serial. Reported by Google. - CVE-2026-14042: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-14043: Use after free in GetUserMedia. Reported by Google. - CVE-2026-14044: Use after free in ANGLE. Reported by Google. - CVE-2026-14045: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14046: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-14047: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14048: Use after free in Chromecast. Reported by Google. - CVE-2026-14049: Inappropriate implementation in GPU. Reported by Google - CVE-2026-14050: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-14051: Uninitialized Use in GamepadAPI. Reported by Google. - CVE-2026-14052: Insufficient policy enforcement in FileSystem. Reported by Google. - CVE-2026-14053: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14054: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-14055: Insufficient validation of untrusted input in Device Trust. Reported by Google. - CVE-2026-14056: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-14057: Insufficient policy enforcement in FedCM. Reported by Google. - CVE-2026-14058: Policy bypass in Parser. Reported by Google. - CVE-2026-14059: Insufficient policy enforcement in Related-Website-Sets. Reported by Google. - CVE-2026-14060: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14061: Inappropriate implementation in Dawn. Reported by Google. - CVE-2026-14062: Inappropriate implementation in Views. Reported by Google. - CVE-2026-14063: Out of bounds memory access in Chromecast. Reported by Google. - CVE-2026-14064: Use after free in PageInfo. Reported by Google. - CVE-2026-14065: Insufficient validation of untrusted input in PageInfo. Reported by Google. - CVE-2026-14066: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14067: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14068: Inappropriate implementation in Omnibox. Reported by Google. - CVE-2026-14069: Integer overflow in WebNN. Reported by Google. - CVE-2026-14070: Uninitialized Use in WebNN. Reported by Google. - CVE-2026-14071: Side-channel information leakage in WebAudio. Reported by Google. - CVE-2026-14072: Incorrect security UI in SplitView. Reported by FARISSAL B. - CVE-2026-14073: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-14394: Use after free in V8. Reported by Google. - CVE-2026-14395: Out of bounds write in V8. Reported by Google. - CVE-2026-14074: Side-channel information leakage in WebAuthentication. Reported by Google. - CVE-2026-14075: Policy bypass in Chrome for iOS. Reported by Google. - CVE-2026-14076: Policy bypass in Network. Reported by Google. - CVE-2026-14077: Incorrect security UI in Select. Reported by pwn.ai. - CVE-2026-14078: Policy bypass in WebRTC. Reported by Google. - CVE-2026-14079: Policy bypass in Network. Reported by Google. - CVE-2026-14080: Insufficient validation of untrusted input in TabSwitcher. Reported by Google. - CVE-2026-14081: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-14082: Race in Storage. Reported by Google. - CVE-2026-14083: Insufficient validation of untrusted input in HTML. Reported by Google. - CVE-2026-14084: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14085: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14086: Insufficient policy enforcement in HID. Reported by Google. - CVE-2026-14087: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-14088: Uninitialized Use in Canvas. Reported by Google. - CVE-2026-14089: Insufficient validation of untrusted input in PopupBlocker. Reported by Google. - CVE-2026-14090: Out of bounds read in CameraCapture. Reported by Google - CVE-2026-14091: Use after free in DevTools. Reported by Google. - CVE-2026-14092: Insufficient policy enforcement in Privacy. Reported by Google. - CVE-2026-14093: Use after free in Cast. Reported by Google. - CVE-2026-14094: Use after free in Installer. Reported by Google. - CVE-2026-14095: Insufficient validation of untrusted input in Browser. Reported by Google. - CVE-2026-14403: Use after free in V8. Reported by Google. - CVE-2026-14096: Object lifecycle issue in Input. Reported by Google. - CVE-2026-14097: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14098: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14405: Uninitialized Use in V8. Reported by Google. - CVE-2026-14099: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14100: Insufficient data validation in NetworkCache. Reported by Google. - CVE-2026-14101: Insufficient policy enforcement in Sandbox. Reported by Google. - CVE-2026-14102: Use after free in Passwords. Reported by Google. - CVE-2026-14103: Use after free in SSL. Reported by Google. - CVE-2026-14104: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14105: Insufficient policy enforcement in Speech. Reported by Google. - CVE-2026-14106: Insufficient validation of untrusted input in Text. Reported by Google. - CVE-2026-14107: Use after free in Scheduling. Reported by Google. - CVE-2026-14108: Use after free in PDFium. Reported by Google. - CVE-2026-14109: Insufficient policy enforcement in Mojo. Reported by Google. - CVE-2026-14110: Inappropriate implementation in DarkMode. Reported by Google. - CVE-2026-14111: Use after free in WebProtect. Reported by Google. - CVE-2026-14112: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-14113: Use after free in Updater. Reported by Google. - CVE-2026-14114: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14115: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-14116: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14117: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14118: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-14119: Type Confusion in Bluetooth. Reported by Google. - CVE-2026-14120: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14121: Use after free in Chromoting. Reported by Google. - CVE-2026-14409: Inappropriate implementation in V8. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab. - CVE-2026-14122: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14410: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-14123: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14124: Inappropriate implementation in CredentialProvider. Reported by Google. - CVE-2026-14125: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14126: Incorrect security UI in UI. Reported by Google. - CVE-2026-14127: Inappropriate implementation in Printing. Reported by Google. - CVE-2026-14128: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-14129: Incorrect security UI in PreviewTab. Reported by Google - CVE-2026-14130: Incorrect security UI in Omnibox. Reported by Google. - CVE-2026-14131: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14132: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14133: Race in History Embeddings. Reported by Google. - CVE-2026-14134: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-14135: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14136: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14137: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14138: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14139: Inappropriate implementation in TabStrip. Reported by Google. - CVE-2026-14140: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-14141: Incorrect security UI in Document Picture-in-Picture. Reported by Google. - CVE-2026-14142: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14143: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-14144: Incorrect security UI in Views. Reported by Google. - CVE-2026-14145: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14146: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14147: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14415: Inappropriate implementation in V8. Reported by Google. - CVE-2026-14148: Type Confusion in CSS. Reported by Google. - CVE-2026-14149: Use after free in Audio. Reported by Google. - CVE-2026-14416: Out of bounds read in Dawn. Reported by Google. - CVE-2026-14150: Insufficient validation of untrusted input in Speech. Reported by Google. - CVE-2026-14151: Inappropriate implementation in AI. Reported by Google. - CVE-2026-14152: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14153: Inappropriate implementation in Glic. Reported by Google. - CVE-2026-14154: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14155: Insufficient policy enforcement in StorageAccessAPI. Reported by Google. - CVE-2026-14156: Policy bypass in StorageAccessAPI. Reported by Google. - CVE-2026-13281: Integer overflow in Mojo. Reported by Google. - CVE-2026-13282: Use after free in Payments. Reported by Google. - CVE-2026-13283: Use after free in AdFilter. Reported by Google. * d/copyright: - delete third_party/webpagereplay/. - delete tsgo (typescript compiler in Go) binary. * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: drop, merged upstream. - disable/android.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/libcpp-headers.patch: rework parts of the patch due to upstream changes. - disable/catapult.patch: refresh. - disable/tests.patch: refresh. - llvm-19/clang19.patch: refresh. - trixie/gn-expand-dir-allowlist.patch: refresh. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - i386/support-i386.patch: refresh. - upstream/sysroot.patch: add a new build fix pulled from upstream. - upstream/ar-path1.patch, upstream/ar-path2.patch: add two more vendoring-related build fixes from upstream. - trixie/gn-additional-outputs.patch: add patch to partially revert usage of a newer generate-ninja feature. - llvm-19/i18n-builder-enum.patch: add a workaround for clang-19 being confused between a class declaration (with default template parameter) and definition. - llvm-19/00*-revert-v8-libm.patch: add 9 patches backing out usage of internal libc++/libm symbols; this requires a newer llvm than we have. - llvm-19/value-or.patch: work around more places where value_or() can't figure out the type of a passed init value. - trixie/node20-compat.patch: break out part of Daniel's node18-compat.patch (below) into one for trixie that also fixes nodejs 20 issues [trixie, bookworm]. - rust-1.85/std-from-utf8.patch: add workaround for str::from_utf8 added in 1.87 [trixie, bookworm]. - trixie/bindgen-boringssl.patch: add workaround for older bindgen [trixie, bookworm]. . [ Daniel Richard G. ] * d/patches: - bookworm/gn-absl.patch: Refresh [bookworm]. - bookworm/gn-funcs.patch: Zap new usage of filter_labels_include() [bookworm]. - bookworm/node18-compat.patch: Fix more cases of nodejs v18 breakage [bookworm]. - trixie/gn-module-name.patch: add more spots where the workaround is needed [trixie, bookworm]. . [ Jianfeng Liu ] * d/patches: - upstream/libyuv-loongarch-fix-row_lsx.cc-and-row_lasx.cc.patch: Fix build for libyuv loongarch64. - loongarch64/0015-ffmpeg-support-for-loongarch.patch: Refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - fixes/fix-rust-linking.patch: refresh for upstream changes - fixes/fix-breakpad-compile.patch: refresh for upstream changes - third_party/dawn-fix-ppc64le-detection.patch: refresh for upstream changes - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes chromium (150.0.7871.46-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-13774: Use after free in Extensions. Reported by Google. - CVE-2026-13775: Use after free in GPU. Reported by Google. - CVE-2026-14398: Use after free in ANGLE. Reported by Google. - CVE-2026-13776: Type Confusion in Dawn. Reported by Google. - CVE-2026-13777: Insufficient validation of untrusted input in iOSWeb. Reported by Google. - CVE-2026-13778: Use after free in WebUSB. Reported by Google. - CVE-2026-13779: Use after free in Chromoting. Reported by Google. - CVE-2026-13780: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13781: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14417: Use after free in Dawn. Reported by Google. - CVE-2026-13782: Use after free in Browser. Reported by Google. - CVE-2026-13783: Use after free in Views. Reported by Google. - CVE-2026-13784: Use after free in Views. Reported by Google. - CVE-2026-14419: Use after free in Skia. Reported by Google. - CVE-2026-13785: Use after free in Bluetooth. Reported by Google. - CVE-2026-14420: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-13786: Use after free in Ozone. Reported by Google. - CVE-2026-14427: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-13787: Use after free in Chromoting. Reported by Google. - CVE-2026-13788: Use after free in Fullscreen. Reported by Google. - CVE-2026-14382: Insufficient validation of untrusted input in ANGLE. Reported by anonymous. - CVE-2026-13790: Side-channel information leakage in Scroll. Reported by Vsevolod Kokorin (Slonser) of Solidlab and Jorian Woltjer. - CVE-2026-14385: Heap buffer overflow in ANGLE. Reported by Thomas Guillem . - CVE-2026-13791: Insufficient validation of untrusted input in Downloads. Reported by Ron Masas (Imperva). - CVE-2026-13792: Use after free in Touchbar. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-13793: Insufficient policy enforcement in SVG. Reported by pakhunov.anton.n@gmail.com. - CVE-2026-14392: Out of bounds write in Tint. Reported by FastPL Group, Imperial College London. - CVE-2026-13794: Insufficient validation of untrusted input in WebAppInstalls. Reported by Daniel Rodríguez. - CVE-2026-14422: Out of bounds read and write in Tint. Reported by Michal Andryskowski. - CVE-2026-13795: Insufficient policy enforcement in Chrome for iOS. Reported by maitai. - CVE-2026-14426: Use after free in V8. Reported by ywatanabee. - CVE-2026-13796: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13797: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-14386: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13798: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-13799: Use after free in QUIC. Reported by Google. - CVE-2026-13800: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-13801: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13802: Use after free in Views. Reported by Google. - CVE-2026-13803: Type Confusion in Chrome Tabs. Reported by Google. - CVE-2026-13804: Use after free in Chromecast. Reported by Google. - CVE-2026-13805: Use after free in GFX. Reported by Google. - CVE-2026-14390: Use after free in ANGLE. Reported by Google. - CVE-2026-13806: Insufficient validation of untrusted input in Accessibility. Reported by Google. - CVE-2026-13807: Use after free in Import. Reported by Google. - CVE-2026-13808: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-13809: Side-channel information leakage in Safe Browsing. Reported by Google. - CVE-2026-13810: Inappropriate implementation in Input. Reported by dilipsc03@gmail.com. - CVE-2026-13811: Use after free in IME. Reported by Google. - CVE-2026-13812: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13813: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13814: Use after free in Views. Reported by Google. - CVE-2026-13815: Use after free in Blink. Reported by Google. - CVE-2026-13816: Insufficient validation of untrusted input in File Input. Reported by Google. - CVE-2026-14396: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13817: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-13818: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13819: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13820: Out of bounds read in Skia. Reported by Google. - CVE-2026-14400: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14401: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14402: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13821: Use after free in Canvas. Reported by Google. - CVE-2026-13822: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-13823: Use after free in Glic. Reported by Google. - CVE-2026-13824: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13825: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13826: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13827: Use after free in Updater. Reported by Google. - CVE-2026-13828: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-13829: Insufficient validation of untrusted input in Settings. Reported by Google. - CVE-2026-13830: Use after free in Chromoting. Reported by Google. - CVE-2026-13831: Use after free in GPU. Reported by Google. - CVE-2026-13832: Use after free in Headless. Reported by Google. - CVE-2026-14411: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13833: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14412: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14413: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13834: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13835: Inappropriate implementation in XML. Reported by Google. - CVE-2026-13836: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13837: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13838: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13839: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13840: Insufficient policy enforcement in Canvas. Reported by Binglin Song. - CVE-2026-13841: Integer overflow in Skia. Reported by Google. - CVE-2026-13842: Incorrect security UI in Chrome for iOS. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-14418: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13843: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13844: Use after free in Updater. Reported by Google. - CVE-2026-13845: Use after free in DOM. Reported by Google. - CVE-2026-13846: Use after free in USB. Reported by Google. - CVE-2026-13847: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13848: Use after free in Forms. Reported by Google. - CVE-2026-13849: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14423: Type Confusion in Tint. Reported by Google. - CVE-2026-13850: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14424: Use after free in Dawn. Reported by Google. - CVE-2026-14425: Use after free in ANGLE. Reported by Google. - CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14428: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14429: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14430: Integer overflow in V8. Reported by Google. - CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13853: Use after free in Journeys. Reported by Google. - CVE-2026-13854: Use after free in Ozone. Reported by Google. - CVE-2026-14431: Type Confusion in V8. Reported by OpenAI Codex Security (amyb). - CVE-2026-13855: Use after free in Ozone. Reported by Google. - CVE-2026-13856: Insufficient validation of untrusted input in Speech. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-13857: Inappropriate implementation in Geometry. Reported by Luan Herrera (@lbherrera_). - CVE-2026-13858: Out of bounds read in FFmpeg. Reported by Wongi Lee (@_qwerty_po) of Theori with Xint Code, Jungwoo Lee (@physicube). - CVE-2026-13859: Inappropriate implementation in ANGLE. Reported by Jason Villaluna. - CVE-2026-14391: Integer overflow in ANGLE. Reported by Quac Tran. - CVE-2026-13860: Incorrect security UI in Autofill. Reported by Khalil Zhani. - CVE-2026-14408: Uninitialized Use in Dawn. Reported by Chrovus. - CVE-2026-14381: Incorrect security UI in WebAppInstalls. Reported by Hafiizh. - CVE-2026-14383: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13861: Use after free in Core. Reported by Google. - CVE-2026-13862: Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys). Reported by Google. - CVE-2026-13863: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13864: Insufficient policy enforcement in WebHID. Reported by Google. - CVE-2026-13865: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13866: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-13867: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-13868: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14384: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13869: Use after free in Device. Reported by Google. - CVE-2026-13870: Use after free in WebView. Reported by Google. - CVE-2026-13871: Insufficient data validation in GuestView. Reported by Google. - CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13873: Out of bounds memory access in Layout. Reported by Google. - CVE-2026-13874: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13875: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-13876: Inappropriate implementation in Network. Reported by Google. - CVE-2026-13877: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13878: Use after free in Bluetooth. Reported by Google. - CVE-2026-13879: Use after free in Bluetooth. Reported by Google. - CVE-2026-13880: Use after free in USB. Reported by Google. - CVE-2026-13881: Insufficient data validation in WebAppInstalls. Reported by Google. - CVE-2026-13882: Inappropriate implementation in USB. Reported by Google - CVE-2026-13883: Type Confusion in ANGLE. Reported by Google. - CVE-2026-13884: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-14387: Integer overflow in Skia. Reported by Google. - CVE-2026-13885: Use after free in Skia. Reported by Google. - CVE-2026-13886: Policy bypass in Isolated Web Apps. Reported by Google. - CVE-2026-14388: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-14389: Integer overflow in Skia. Reported by Google. - CVE-2026-13887: Insufficient policy enforcement in NFC. Reported by Google. - CVE-2026-13888: Use after free in Extensions. Reported by Google. - CVE-2026-13889: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-13890: Out of bounds read in Chromecast. Reported by Google. - CVE-2026-13891: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13892: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13893: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-13894: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-13895: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13896: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-13897: Insufficient policy enforcement in Chromecast. Reported by Google. - CVE-2026-13898: Use after free in Cast Receiver. Reported by Google. - CVE-2026-13899: Use after free in HTML. Reported by Google. - CVE-2026-13900: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-13901: Insufficient validation of untrusted input in Serial. Reported by Google. - CVE-2026-13902: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13903: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-13904: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13905: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13906: Out of bounds read in Codecs. Reported by Google. - CVE-2026-13907: Inappropriate implementation in iOSWeb. Reported by Google. - CVE-2026-13908: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-13909: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-13910: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-13911: Insufficient data validation in Spellcheck. Reported by Google. - CVE-2026-13912: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13913: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-13914: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13915: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13916: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13917: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13918: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13919: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-14393: Use after free in V8. Reported by Google. - CVE-2026-13920: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-13921: Insufficient validation of untrusted input in DeviceBoundSessionCredentials. Reported by Google. - CVE-2026-13922: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-13923: Uninitialized Use in GPU. Reported by Google. - CVE-2026-14397: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-13924: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-13925: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-13926: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-13927: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-13928: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13929: Insufficient validation of untrusted input in DevTools. Reported by LegioSec. - CVE-2026-13930: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-13931: Inappropriate implementation in Media. Reported by Google. - CVE-2026-13932: Inappropriate implementation in Sharing. Reported by Google. - CVE-2026-13933: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13934: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14399: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13935: Side-channel information leakage in ComputePressure. Reported by Google. - CVE-2026-13936: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13937: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13938: Integer overflow in Fonts. Reported by Google. - CVE-2026-13939: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-13940: Uninitialized Use in Cast. Reported by Google. - CVE-2026-13941: Inappropriate implementation in SiteSettings. Reported by Google. - CVE-2026-13942: Insufficient validation of untrusted input in Video Capture. Reported by Google. - CVE-2026-13943: Uninitialized Use in CSS. Reported by Google. - CVE-2026-13944: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13945: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13946: Inappropriate implementation in ScriptInjections. Reported by Google. - CVE-2026-13947: Uninitialized Use in XR. Reported by Google. - CVE-2026-13948: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13949: Insufficient policy enforcement in Payments. Reported by Google. - CVE-2026-14404: Inappropriate implementation in PDFium. Reported by Google. - CVE-2026-13950: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13951: Policy bypass in USB. Reported by Google. - CVE-2026-13952: Inappropriate implementation in PerformanceAPIs. Reported by Google. - CVE-2026-14406: Out of bounds read in V8. Reported by Google. - CVE-2026-13953: Inappropriate implementation in SplitView. Reported by Google. - CVE-2026-13954: Insufficient policy enforcement in XML. Reported by Google. - CVE-2026-13955: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13956: Incorrect security UI in PageInfo. Reported by Google. - CVE-2026-13957: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13958: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14407: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13959: Insufficient validation of untrusted input in Blink. Reported by Google. - CVE-2026-13960: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13961: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13962: Insufficient data validation in PDF. Reported by Google - CVE-2026-13963: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-13964: Insufficient policy enforcement in WebView. Reported by Google. - CVE-2026-13965: Use after free in Oilpan. Reported by Google. - CVE-2026-13966: Inappropriate implementation in History. Reported by Google. - CVE-2026-13967: Type Confusion in V8. Reported by Google. - CVE-2026-13968: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13969: Uninitialized Use in UI. Reported by Google. - CVE-2026-13970: Uninitialized Use in Media. Reported by Google. - CVE-2026-13971: Uninitialized Use in Skia. Reported by Google. - CVE-2026-13972: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13973: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13974: Integer overflow in Safe Browsing. Reported by Google. - CVE-2026-13975: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13976: Heap buffer overflow in Storage. Reported by Google. - CVE-2026-13977: Inappropriate implementation in HTMLParser. Reported by Google. - CVE-2026-13978: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-14414: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-13979: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13980: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13981: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13982: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-13983: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13984: Incorrect security UI in TabStrip. Reported by Google. - CVE-2026-13985: Inappropriate implementation in MediaCapture. Reported by Google. - CVE-2026-13986: Inappropriate implementation in Media UI. Reported by Google. - CVE-2026-13987: Incorrect security UI in Mobile. Reported by Google. - CVE-2026-13988: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13989: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-13990: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-13991: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13992: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13993: Incorrect security UI in WebAppInstalls. Reported by Google. - CVE-2026-13994: Inappropriate implementation in Credential Management. Reported by Google. - CVE-2026-13995: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-13996: Incorrect security UI in Permissions. Reported by Google. - CVE-2026-13997: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13998: Incorrect security UI in File Input. Reported by Google - CVE-2026-13999: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14000: Inappropriate implementation in XML. Reported by Google - CVE-2026-14001: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14002: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-14003: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14004: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14005: Use after free in Omnibox. Reported by Google. - CVE-2026-14006: Use after free in Navigation. Reported by Google. - CVE-2026-14007: Insufficient policy enforcement in PermissionsPolicy. Reported by Google. - CVE-2026-14008: Uninitialized Use in WebXR. Reported by Google. - CVE-2026-14009: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-14010: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14011: Out of bounds read in SurfaceCapture. Reported by Google. - CVE-2026-14421: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-14012: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14013: Inappropriate implementation in SVG. Reported by Google - CVE-2026-14014: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-14015: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-14016: Insufficient policy enforcement in SVG. Reported by Google. - CVE-2026-14017: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-14018: Use after free in Updater. Reported by Google. - CVE-2026-14019: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-14020: Insufficient validation of untrusted input in WebXR. Reported by Google. - CVE-2026-14021: Insufficient validation of untrusted input in StorageAccessAPI. Reported by Google. - CVE-2026-14022: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14023: Insufficient validation of untrusted input in SanitizerAPI. Reported by Google. - CVE-2026-14024: Use after free in Ozone. Reported by Google. - CVE-2026-14432: Use after free in V8. Reported by Google. - CVE-2026-14025: Use after free in Views. Reported by asjidkalam. - CVE-2026-14026: Incorrect security UI in SplitView. Reported by adisahilna35@gmail.com. - CVE-2026-14027: Use after free in SignIn. Reported by Sven Dysthe (@svn-dys). - CVE-2026-14028: Incorrect security UI in Chrome for iOS. Reported by Ameen Basha M K. - CVE-2026-14030: Incorrect security UI in SplitView. Reported by Khalil Zhani. - CVE-2026-14031: Incorrect security UI in File Input. Reported by Google - CVE-2026-14032: Use after free in Bluetooth. Reported by Google. - CVE-2026-14033: Insufficient policy enforcement in Media. Reported by Google. - CVE-2026-14034: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14035: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14036: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14037: Insufficient policy enforcement in GPU. Reported by Google. - CVE-2026-14038: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-14039: Insufficient policy enforcement in GetUserMedia. Reported by Google. - CVE-2026-14040: Use after free in BrowserTag. Reported by Google. - CVE-2026-14041: Insufficient policy enforcement in Serial. Reported by Google. - CVE-2026-14042: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-14043: Use after free in GetUserMedia. Reported by Google. - CVE-2026-14044: Use after free in ANGLE. Reported by Google. - CVE-2026-14045: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14046: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-14047: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14048: Use after free in Chromecast. Reported by Google. - CVE-2026-14049: Inappropriate implementation in GPU. Reported by Google - CVE-2026-14050: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-14051: Uninitialized Use in GamepadAPI. Reported by Google. - CVE-2026-14052: Insufficient policy enforcement in FileSystem. Reported by Google. - CVE-2026-14053: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14054: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-14055: Insufficient validation of untrusted input in Device Trust. Reported by Google. - CVE-2026-14056: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-14057: Insufficient policy enforcement in FedCM. Reported by Google. - CVE-2026-14058: Policy bypass in Parser. Reported by Google. - CVE-2026-14059: Insufficient policy enforcement in Related-Website-Sets. Reported by Google. - CVE-2026-14060: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14061: Inappropriate implementation in Dawn. Reported by Google. - CVE-2026-14062: Inappropriate implementation in Views. Reported by Google. - CVE-2026-14063: Out of bounds memory access in Chromecast. Reported by Google. - CVE-2026-14064: Use after free in PageInfo. Reported by Google. - CVE-2026-14065: Insufficient validation of untrusted input in PageInfo. Reported by Google. - CVE-2026-14066: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14067: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14068: Inappropriate implementation in Omnibox. Reported by Google. - CVE-2026-14069: Integer overflow in WebNN. Reported by Google. - CVE-2026-14070: Uninitialized Use in WebNN. Reported by Google. - CVE-2026-14071: Side-channel information leakage in WebAudio. Reported by Google. - CVE-2026-14072: Incorrect security UI in SplitView. Reported by FARISSAL B. - CVE-2026-14073: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-14394: Use after free in V8. Reported by Google. - CVE-2026-14395: Out of bounds write in V8. Reported by Google. - CVE-2026-14074: Side-channel information leakage in WebAuthentication. Reported by Google. - CVE-2026-14075: Policy bypass in Chrome for iOS. Reported by Google. - CVE-2026-14076: Policy bypass in Network. Reported by Google. - CVE-2026-14077: Incorrect security UI in Select. Reported by pwn.ai. - CVE-2026-14078: Policy bypass in WebRTC. Reported by Google. - CVE-2026-14079: Policy bypass in Network. Reported by Google. - CVE-2026-14080: Insufficient validation of untrusted input in TabSwitcher. Reported by Google. - CVE-2026-14081: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-14082: Race in Storage. Reported by Google. - CVE-2026-14083: Insufficient validation of untrusted input in HTML. Reported by Google. - CVE-2026-14084: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14085: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14086: Insufficient policy enforcement in HID. Reported by Google. - CVE-2026-14087: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-14088: Uninitialized Use in Canvas. Reported by Google. - CVE-2026-14089: Insufficient validation of untrusted input in PopupBlocker. Reported by Google. - CVE-2026-14090: Out of bounds read in CameraCapture. Reported by Google - CVE-2026-14091: Use after free in DevTools. Reported by Google. - CVE-2026-14092: Insufficient policy enforcement in Privacy. Reported by Google. - CVE-2026-14093: Use after free in Cast. Reported by Google. - CVE-2026-14094: Use after free in Installer. Reported by Google. - CVE-2026-14095: Insufficient validation of untrusted input in Browser. Reported by Google. - CVE-2026-14403: Use after free in V8. Reported by Google. - CVE-2026-14096: Object lifecycle issue in Input. Reported by Google. - CVE-2026-14097: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14098: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14405: Uninitialized Use in V8. Reported by Google. - CVE-2026-14099: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14100: Insufficient data validation in NetworkCache. Reported by Google. - CVE-2026-14101: Insufficient policy enforcement in Sandbox. Reported by Google. - CVE-2026-14102: Use after free in Passwords. Reported by Google. - CVE-2026-14103: Use after free in SSL. Reported by Google. - CVE-2026-14104: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14105: Insufficient policy enforcement in Speech. Reported by Google. - CVE-2026-14106: Insufficient validation of untrusted input in Text. Reported by Google. - CVE-2026-14107: Use after free in Scheduling. Reported by Google. - CVE-2026-14108: Use after free in PDFium. Reported by Google. - CVE-2026-14109: Insufficient policy enforcement in Mojo. Reported by Google. - CVE-2026-14110: Inappropriate implementation in DarkMode. Reported by Google. - CVE-2026-14111: Use after free in WebProtect. Reported by Google. - CVE-2026-14112: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-14113: Use after free in Updater. Reported by Google. - CVE-2026-14114: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14115: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-14116: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14117: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14118: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-14119: Type Confusion in Bluetooth. Reported by Google. - CVE-2026-14120: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14121: Use after free in Chromoting. Reported by Google. - CVE-2026-14409: Inappropriate implementation in V8. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab. - CVE-2026-14122: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14410: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-14123: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14124: Inappropriate implementation in CredentialProvider. Reported by Google. - CVE-2026-14125: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14126: Incorrect security UI in UI. Reported by Google. - CVE-2026-14127: Inappropriate implementation in Printing. Reported by Google. - CVE-2026-14128: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-14129: Incorrect security UI in PreviewTab. Reported by Google - CVE-2026-14130: Incorrect security UI in Omnibox. Reported by Google. - CVE-2026-14131: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14132: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14133: Race in History Embeddings. Reported by Google. - CVE-2026-14134: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-14135: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14136: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14137: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14138: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14139: Inappropriate implementation in TabStrip. Reported by Google. - CVE-2026-14140: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-14141: Incorrect security UI in Document Picture-in-Picture. Reported by Google. - CVE-2026-14142: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14143: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-14144: Incorrect security UI in Views. Reported by Google. - CVE-2026-14145: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14146: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14147: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14415: Inappropriate implementation in V8. Reported by Google. - CVE-2026-14148: Type Confusion in CSS. Reported by Google. - CVE-2026-14149: Use after free in Audio. Reported by Google. - CVE-2026-14416: Out of bounds read in Dawn. Reported by Google. - CVE-2026-14150: Insufficient validation of untrusted input in Speech. Reported by Google. - CVE-2026-14151: Inappropriate implementation in AI. Reported by Google. - CVE-2026-14152: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14153: Inappropriate implementation in Glic. Reported by Google. - CVE-2026-14154: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14155: Insufficient policy enforcement in StorageAccessAPI. Reported by Google. - CVE-2026-14156: Policy bypass in StorageAccessAPI. Reported by Google. - CVE-2026-13281: Integer overflow in Mojo. Reported by Google. - CVE-2026-13282: Use after free in Payments. Reported by Google. - CVE-2026-13283: Use after free in AdFilter. Reported by Google. * d/copyright: - delete third_party/webpagereplay/. - delete tsgo (typescript compiler in Go) binary. * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: drop, merged upstream. - disable/android.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/libcpp-headers.patch: rework parts of the patch due to upstream changes. - disable/catapult.patch: refresh. - disable/tests.patch: refresh. - llvm-19/clang19.patch: refresh. - trixie/gn-expand-dir-allowlist.patch: refresh. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - i386/support-i386.patch: refresh. - upstream/sysroot.patch: add a new build fix pulled from upstream. - upstream/ar-path1.patch, upstream/ar-path2.patch: add two more vendoring-related build fixes from upstream. - trixie/gn-additional-outputs.patch: add patch to partially revert usage of a newer generate-ninja feature. - llvm-19/i18n-builder-enum.patch: add a workaround for clang-19 being confused between a class declaration (with default template parameter) and definition. - llvm-19/00*-revert-v8-libm.patch: add 9 patches backing out usage of internal libc++/libm symbols; this requires a newer llvm than we have. - llvm-19/value-or.patch: work around more places where value_or() can't figure out the type of a passed init value. - trixie/node20-compat.patch: break out part of Daniel's node18-compat.patch (below) into one for trixie that also fixes nodejs 20 issues [trixie, bookworm]. - rust-1.85/std-from-utf8.patch: add workaround for str::from_utf8 added in 1.87 [trixie, bookworm]. - trixie/bindgen-boringssl.patch: add workaround for older bindgen [trixie, bookworm]. . [ Daniel Richard G. ] * d/patches: - bookworm/gn-absl.patch: Refresh [bookworm]. - bookworm/gn-funcs.patch: Zap new usage of filter_labels_include() [bookworm]. - bookworm/node18-compat.patch: Fix more cases of nodejs v18 breakage [bookworm]. - trixie/gn-module-name.patch: add more spots where the workaround is needed [trixie, bookworm]. . [ Jianfeng Liu ] * d/patches: - upstream/libyuv-loongarch-fix-row_lsx.cc-and-row_lasx.cc.patch: Fix build for libyuv loongarch64. - loongarch64/0015-ffmpeg-support-for-loongarch.patch: Refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - fixes/fix-rust-linking.patch: refresh for upstream changes - fixes/fix-breakpad-compile.patch: refresh for upstream changes - third_party/dawn-fix-ppc64le-detection.patch: refresh for upstream changes - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes chromium (150.0.7871.46-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-13774: Use after free in Extensions. Reported by Google. - CVE-2026-13775: Use after free in GPU. Reported by Google. - CVE-2026-14398: Use after free in ANGLE. Reported by Google. - CVE-2026-13776: Type Confusion in Dawn. Reported by Google. - CVE-2026-13777: Insufficient validation of untrusted input in iOSWeb. Reported by Google. - CVE-2026-13778: Use after free in WebUSB. Reported by Google. - CVE-2026-13779: Use after free in Chromoting. Reported by Google. - CVE-2026-13780: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13781: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14417: Use after free in Dawn. Reported by Google. - CVE-2026-13782: Use after free in Browser. Reported by Google. - CVE-2026-13783: Use after free in Views. Reported by Google. - CVE-2026-13784: Use after free in Views. Reported by Google. - CVE-2026-14419: Use after free in Skia. Reported by Google. - CVE-2026-13785: Use after free in Bluetooth. Reported by Google. - CVE-2026-14420: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-13786: Use after free in Ozone. Reported by Google. - CVE-2026-14427: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-13787: Use after free in Chromoting. Reported by Google. - CVE-2026-13788: Use after free in Fullscreen. Reported by Google. - CVE-2026-14382: Insufficient validation of untrusted input in ANGLE. Reported by anonymous. - CVE-2026-13790: Side-channel information leakage in Scroll. Reported by Vsevolod Kokorin (Slonser) of Solidlab and Jorian Woltjer. - CVE-2026-14385: Heap buffer overflow in ANGLE. Reported by Thomas Guillem . - CVE-2026-13791: Insufficient validation of untrusted input in Downloads. Reported by Ron Masas (Imperva). - CVE-2026-13792: Use after free in Touchbar. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-13793: Insufficient policy enforcement in SVG. Reported by pakhunov.anton.n@gmail.com. - CVE-2026-14392: Out of bounds write in Tint. Reported by FastPL Group, Imperial College London. - CVE-2026-13794: Insufficient validation of untrusted input in WebAppInstalls. Reported by Daniel Rodríguez. - CVE-2026-14422: Out of bounds read and write in Tint. Reported by Michal Andryskowski. - CVE-2026-13795: Insufficient policy enforcement in Chrome for iOS. Reported by maitai. - CVE-2026-14426: Use after free in V8. Reported by ywatanabee. - CVE-2026-13796: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13797: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-14386: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13798: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-13799: Use after free in QUIC. Reported by Google. - CVE-2026-13800: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-13801: Integer overflow in Chromecast. Reported by Google. - CVE-2026-13802: Use after free in Views. Reported by Google. - CVE-2026-13803: Type Confusion in Chrome Tabs. Reported by Google. - CVE-2026-13804: Use after free in Chromecast. Reported by Google. - CVE-2026-13805: Use after free in GFX. Reported by Google. - CVE-2026-14390: Use after free in ANGLE. Reported by Google. - CVE-2026-13806: Insufficient validation of untrusted input in Accessibility. Reported by Google. - CVE-2026-13807: Use after free in Import. Reported by Google. - CVE-2026-13808: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-13809: Side-channel information leakage in Safe Browsing. Reported by Google. - CVE-2026-13810: Inappropriate implementation in Input. Reported by dilipsc03@gmail.com. - CVE-2026-13811: Use after free in IME. Reported by Google. - CVE-2026-13812: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13813: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13814: Use after free in Views. Reported by Google. - CVE-2026-13815: Use after free in Blink. Reported by Google. - CVE-2026-13816: Insufficient validation of untrusted input in File Input. Reported by Google. - CVE-2026-14396: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13817: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-13818: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13819: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13820: Out of bounds read in Skia. Reported by Google. - CVE-2026-14400: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14401: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14402: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13821: Use after free in Canvas. Reported by Google. - CVE-2026-13822: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-13823: Use after free in Glic. Reported by Google. - CVE-2026-13824: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13825: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13826: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13827: Use after free in Updater. Reported by Google. - CVE-2026-13828: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-13829: Insufficient validation of untrusted input in Settings. Reported by Google. - CVE-2026-13830: Use after free in Chromoting. Reported by Google. - CVE-2026-13831: Use after free in GPU. Reported by Google. - CVE-2026-13832: Use after free in Headless. Reported by Google. - CVE-2026-14411: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13833: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14412: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-14413: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13834: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13835: Inappropriate implementation in XML. Reported by Google. - CVE-2026-13836: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13837: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13838: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13839: Inappropriate implementation in CSS. Reported by Google. - CVE-2026-13840: Insufficient policy enforcement in Canvas. Reported by Binglin Song. - CVE-2026-13841: Integer overflow in Skia. Reported by Google. - CVE-2026-13842: Incorrect security UI in Chrome for iOS. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-14418: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-13843: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13844: Use after free in Updater. Reported by Google. - CVE-2026-13845: Use after free in DOM. Reported by Google. - CVE-2026-13846: Use after free in USB. Reported by Google. - CVE-2026-13847: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13848: Use after free in Forms. Reported by Google. - CVE-2026-13849: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14423: Type Confusion in Tint. Reported by Google. - CVE-2026-13850: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14424: Use after free in Dawn. Reported by Google. - CVE-2026-14425: Use after free in ANGLE. Reported by Google. - CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14428: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14429: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-14430: Integer overflow in V8. Reported by Google. - CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13853: Use after free in Journeys. Reported by Google. - CVE-2026-13854: Use after free in Ozone. Reported by Google. - CVE-2026-14431: Type Confusion in V8. Reported by OpenAI Codex Security (amyb). - CVE-2026-13855: Use after free in Ozone. Reported by Google. - CVE-2026-13856: Insufficient validation of untrusted input in Speech. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-13857: Inappropriate implementation in Geometry. Reported by Luan Herrera (@lbherrera_). - CVE-2026-13858: Out of bounds read in FFmpeg. Reported by Wongi Lee (@_qwerty_po) of Theori with Xint Code, Jungwoo Lee (@physicube). - CVE-2026-13859: Inappropriate implementation in ANGLE. Reported by Jason Villaluna. - CVE-2026-14391: Integer overflow in ANGLE. Reported by Quac Tran. - CVE-2026-13860: Incorrect security UI in Autofill. Reported by Khalil Zhani. - CVE-2026-14408: Uninitialized Use in Dawn. Reported by Chrovus. - CVE-2026-14381: Incorrect security UI in WebAppInstalls. Reported by Hafiizh. - CVE-2026-14383: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13861: Use after free in Core. Reported by Google. - CVE-2026-13862: Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys). Reported by Google. - CVE-2026-13863: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13864: Insufficient policy enforcement in WebHID. Reported by Google. - CVE-2026-13865: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13866: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-13867: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-13868: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14384: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13869: Use after free in Device. Reported by Google. - CVE-2026-13870: Use after free in WebView. Reported by Google. - CVE-2026-13871: Insufficient data validation in GuestView. Reported by Google. - CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-13873: Out of bounds memory access in Layout. Reported by Google. - CVE-2026-13874: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13875: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-13876: Inappropriate implementation in Network. Reported by Google. - CVE-2026-13877: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-13878: Use after free in Bluetooth. Reported by Google. - CVE-2026-13879: Use after free in Bluetooth. Reported by Google. - CVE-2026-13880: Use after free in USB. Reported by Google. - CVE-2026-13881: Insufficient data validation in WebAppInstalls. Reported by Google. - CVE-2026-13882: Inappropriate implementation in USB. Reported by Google - CVE-2026-13883: Type Confusion in ANGLE. Reported by Google. - CVE-2026-13884: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-14387: Integer overflow in Skia. Reported by Google. - CVE-2026-13885: Use after free in Skia. Reported by Google. - CVE-2026-13886: Policy bypass in Isolated Web Apps. Reported by Google. - CVE-2026-14388: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-14389: Integer overflow in Skia. Reported by Google. - CVE-2026-13887: Insufficient policy enforcement in NFC. Reported by Google. - CVE-2026-13888: Use after free in Extensions. Reported by Google. - CVE-2026-13889: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-13890: Out of bounds read in Chromecast. Reported by Google. - CVE-2026-13891: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-13892: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13893: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-13894: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-13895: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13896: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-13897: Insufficient policy enforcement in Chromecast. Reported by Google. - CVE-2026-13898: Use after free in Cast Receiver. Reported by Google. - CVE-2026-13899: Use after free in HTML. Reported by Google. - CVE-2026-13900: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-13901: Insufficient validation of untrusted input in Serial. Reported by Google. - CVE-2026-13902: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13903: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-13904: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13905: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13906: Out of bounds read in Codecs. Reported by Google. - CVE-2026-13907: Inappropriate implementation in iOSWeb. Reported by Google. - CVE-2026-13908: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-13909: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-13910: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-13911: Insufficient data validation in Spellcheck. Reported by Google. - CVE-2026-13912: Incorrect security UI in Safe Browsing. Reported by Google. - CVE-2026-13913: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-13914: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13915: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13916: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13917: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13918: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-13919: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-14393: Use after free in V8. Reported by Google. - CVE-2026-13920: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-13921: Insufficient validation of untrusted input in DeviceBoundSessionCredentials. Reported by Google. - CVE-2026-13922: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-13923: Uninitialized Use in GPU. Reported by Google. - CVE-2026-14397: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-13924: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-13925: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-13926: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-13927: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-13928: Insufficient validation of untrusted input in Enterprise. Reported by Google. - CVE-2026-13929: Insufficient validation of untrusted input in DevTools. Reported by LegioSec. - CVE-2026-13930: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-13931: Inappropriate implementation in Media. Reported by Google. - CVE-2026-13932: Inappropriate implementation in Sharing. Reported by Google. - CVE-2026-13933: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13934: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-14399: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-13935: Side-channel information leakage in ComputePressure. Reported by Google. - CVE-2026-13936: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13937: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-13938: Integer overflow in Fonts. Reported by Google. - CVE-2026-13939: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-13940: Uninitialized Use in Cast. Reported by Google. - CVE-2026-13941: Inappropriate implementation in SiteSettings. Reported by Google. - CVE-2026-13942: Insufficient validation of untrusted input in Video Capture. Reported by Google. - CVE-2026-13943: Uninitialized Use in CSS. Reported by Google. - CVE-2026-13944: Inappropriate implementation in DataTransfer. Reported by Google. - CVE-2026-13945: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13946: Inappropriate implementation in ScriptInjections. Reported by Google. - CVE-2026-13947: Uninitialized Use in XR. Reported by Google. - CVE-2026-13948: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-13949: Insufficient policy enforcement in Payments. Reported by Google. - CVE-2026-14404: Inappropriate implementation in PDFium. Reported by Google. - CVE-2026-13950: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13951: Policy bypass in USB. Reported by Google. - CVE-2026-13952: Inappropriate implementation in PerformanceAPIs. Reported by Google. - CVE-2026-14406: Out of bounds read in V8. Reported by Google. - CVE-2026-13953: Inappropriate implementation in SplitView. Reported by Google. - CVE-2026-13954: Insufficient policy enforcement in XML. Reported by Google. - CVE-2026-13955: Insufficient validation of untrusted input in CustomTabs. Reported by Google. - CVE-2026-13956: Incorrect security UI in PageInfo. Reported by Google. - CVE-2026-13957: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13958: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14407: Inappropriate implementation in V8. Reported by Google. - CVE-2026-13959: Insufficient validation of untrusted input in Blink. Reported by Google. - CVE-2026-13960: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13961: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13962: Insufficient data validation in PDF. Reported by Google - CVE-2026-13963: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-13964: Insufficient policy enforcement in WebView. Reported by Google. - CVE-2026-13965: Use after free in Oilpan. Reported by Google. - CVE-2026-13966: Inappropriate implementation in History. Reported by Google. - CVE-2026-13967: Type Confusion in V8. Reported by Google. - CVE-2026-13968: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13969: Uninitialized Use in UI. Reported by Google. - CVE-2026-13970: Uninitialized Use in Media. Reported by Google. - CVE-2026-13971: Uninitialized Use in Skia. Reported by Google. - CVE-2026-13972: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13973: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13974: Integer overflow in Safe Browsing. Reported by Google. - CVE-2026-13975: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-13976: Heap buffer overflow in Storage. Reported by Google. - CVE-2026-13977: Inappropriate implementation in HTMLParser. Reported by Google. - CVE-2026-13978: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-14414: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-13979: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13980: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13981: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-13982: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-13983: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-13984: Incorrect security UI in TabStrip. Reported by Google. - CVE-2026-13985: Inappropriate implementation in MediaCapture. Reported by Google. - CVE-2026-13986: Inappropriate implementation in Media UI. Reported by Google. - CVE-2026-13987: Incorrect security UI in Mobile. Reported by Google. - CVE-2026-13988: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-13989: Insufficient policy enforcement in PageInfo. Reported by Google. - CVE-2026-13990: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-13991: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-13992: Inappropriate implementation in UI. Reported by Google. - CVE-2026-13993: Incorrect security UI in WebAppInstalls. Reported by Google. - CVE-2026-13994: Inappropriate implementation in Credential Management. Reported by Google. - CVE-2026-13995: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-13996: Incorrect security UI in Permissions. Reported by Google. - CVE-2026-13997: Incorrect security UI in Extensions. Reported by Google - CVE-2026-13998: Incorrect security UI in File Input. Reported by Google - CVE-2026-13999: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14000: Inappropriate implementation in XML. Reported by Google - CVE-2026-14001: Inappropriate implementation in Network. Reported by Google. - CVE-2026-14002: Inappropriate implementation in Geolocation. Reported by Google. - CVE-2026-14003: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14004: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14005: Use after free in Omnibox. Reported by Google. - CVE-2026-14006: Use after free in Navigation. Reported by Google. - CVE-2026-14007: Insufficient policy enforcement in PermissionsPolicy. Reported by Google. - CVE-2026-14008: Uninitialized Use in WebXR. Reported by Google. - CVE-2026-14009: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-14010: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-14011: Out of bounds read in SurfaceCapture. Reported by Google. - CVE-2026-14421: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-14012: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14013: Inappropriate implementation in SVG. Reported by Google - CVE-2026-14014: Inappropriate implementation in Paint. Reported by Google. - CVE-2026-14015: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-14016: Insufficient policy enforcement in SVG. Reported by Google. - CVE-2026-14017: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-14018: Use after free in Updater. Reported by Google. - CVE-2026-14019: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-14020: Insufficient validation of untrusted input in WebXR. Reported by Google. - CVE-2026-14021: Insufficient validation of untrusted input in StorageAccessAPI. Reported by Google. - CVE-2026-14022: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14023: Insufficient validation of untrusted input in SanitizerAPI. Reported by Google. - CVE-2026-14024: Use after free in Ozone. Reported by Google. - CVE-2026-14432: Use after free in V8. Reported by Google. - CVE-2026-14025: Use after free in Views. Reported by asjidkalam. - CVE-2026-14026: Incorrect security UI in SplitView. Reported by adisahilna35@gmail.com. - CVE-2026-14027: Use after free in SignIn. Reported by Sven Dysthe (@svn-dys). - CVE-2026-14028: Incorrect security UI in Chrome for iOS. Reported by Ameen Basha M K. - CVE-2026-14030: Incorrect security UI in SplitView. Reported by Khalil Zhani. - CVE-2026-14031: Incorrect security UI in File Input. Reported by Google - CVE-2026-14032: Use after free in Bluetooth. Reported by Google. - CVE-2026-14033: Insufficient policy enforcement in Media. Reported by Google. - CVE-2026-14034: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14035: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14036: Insufficient policy enforcement in Bluetooth. Reported by Google. - CVE-2026-14037: Insufficient policy enforcement in GPU. Reported by Google. - CVE-2026-14038: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-14039: Insufficient policy enforcement in GetUserMedia. Reported by Google. - CVE-2026-14040: Use after free in BrowserTag. Reported by Google. - CVE-2026-14041: Insufficient policy enforcement in Serial. Reported by Google. - CVE-2026-14042: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-14043: Use after free in GetUserMedia. Reported by Google. - CVE-2026-14044: Use after free in ANGLE. Reported by Google. - CVE-2026-14045: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14046: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-14047: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14048: Use after free in Chromecast. Reported by Google. - CVE-2026-14049: Inappropriate implementation in GPU. Reported by Google - CVE-2026-14050: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-14051: Uninitialized Use in GamepadAPI. Reported by Google. - CVE-2026-14052: Insufficient policy enforcement in FileSystem. Reported by Google. - CVE-2026-14053: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-14054: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-14055: Insufficient validation of untrusted input in Device Trust. Reported by Google. - CVE-2026-14056: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-14057: Insufficient policy enforcement in FedCM. Reported by Google. - CVE-2026-14058: Policy bypass in Parser. Reported by Google. - CVE-2026-14059: Insufficient policy enforcement in Related-Website-Sets. Reported by Google. - CVE-2026-14060: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14061: Inappropriate implementation in Dawn. Reported by Google. - CVE-2026-14062: Inappropriate implementation in Views. Reported by Google. - CVE-2026-14063: Out of bounds memory access in Chromecast. Reported by Google. - CVE-2026-14064: Use after free in PageInfo. Reported by Google. - CVE-2026-14065: Insufficient validation of untrusted input in PageInfo. Reported by Google. - CVE-2026-14066: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14067: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14068: Inappropriate implementation in Omnibox. Reported by Google. - CVE-2026-14069: Integer overflow in WebNN. Reported by Google. - CVE-2026-14070: Uninitialized Use in WebNN. Reported by Google. - CVE-2026-14071: Side-channel information leakage in WebAudio. Reported by Google. - CVE-2026-14072: Incorrect security UI in SplitView. Reported by FARISSAL B. - CVE-2026-14073: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-14394: Use after free in V8. Reported by Google. - CVE-2026-14395: Out of bounds write in V8. Reported by Google. - CVE-2026-14074: Side-channel information leakage in WebAuthentication. Reported by Google. - CVE-2026-14075: Policy bypass in Chrome for iOS. Reported by Google. - CVE-2026-14076: Policy bypass in Network. Reported by Google. - CVE-2026-14077: Incorrect security UI in Select. Reported by pwn.ai. - CVE-2026-14078: Policy bypass in WebRTC. Reported by Google. - CVE-2026-14079: Policy bypass in Network. Reported by Google. - CVE-2026-14080: Insufficient validation of untrusted input in TabSwitcher. Reported by Google. - CVE-2026-14081: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-14082: Race in Storage. Reported by Google. - CVE-2026-14083: Insufficient validation of untrusted input in HTML. Reported by Google. - CVE-2026-14084: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-14085: Side-channel information leakage in CSS. Reported by Google. - CVE-2026-14086: Insufficient policy enforcement in HID. Reported by Google. - CVE-2026-14087: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-14088: Uninitialized Use in Canvas. Reported by Google. - CVE-2026-14089: Insufficient validation of untrusted input in PopupBlocker. Reported by Google. - CVE-2026-14090: Out of bounds read in CameraCapture. Reported by Google - CVE-2026-14091: Use after free in DevTools. Reported by Google. - CVE-2026-14092: Insufficient policy enforcement in Privacy. Reported by Google. - CVE-2026-14093: Use after free in Cast. Reported by Google. - CVE-2026-14094: Use after free in Installer. Reported by Google. - CVE-2026-14095: Insufficient validation of untrusted input in Browser. Reported by Google. - CVE-2026-14403: Use after free in V8. Reported by Google. - CVE-2026-14096: Object lifecycle issue in Input. Reported by Google. - CVE-2026-14097: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14098: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14405: Uninitialized Use in V8. Reported by Google. - CVE-2026-14099: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-14100: Insufficient data validation in NetworkCache. Reported by Google. - CVE-2026-14101: Insufficient policy enforcement in Sandbox. Reported by Google. - CVE-2026-14102: Use after free in Passwords. Reported by Google. - CVE-2026-14103: Use after free in SSL. Reported by Google. - CVE-2026-14104: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14105: Insufficient policy enforcement in Speech. Reported by Google. - CVE-2026-14106: Insufficient validation of untrusted input in Text. Reported by Google. - CVE-2026-14107: Use after free in Scheduling. Reported by Google. - CVE-2026-14108: Use after free in PDFium. Reported by Google. - CVE-2026-14109: Insufficient policy enforcement in Mojo. Reported by Google. - CVE-2026-14110: Inappropriate implementation in DarkMode. Reported by Google. - CVE-2026-14111: Use after free in WebProtect. Reported by Google. - CVE-2026-14112: Inappropriate implementation in Enterprise. Reported by Google. - CVE-2026-14113: Use after free in Updater. Reported by Google. - CVE-2026-14114: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14115: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-14116: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14117: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-14118: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-14119: Type Confusion in Bluetooth. Reported by Google. - CVE-2026-14120: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14121: Use after free in Chromoting. Reported by Google. - CVE-2026-14409: Inappropriate implementation in V8. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab. - CVE-2026-14122: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14410: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-14123: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14124: Inappropriate implementation in CredentialProvider. Reported by Google. - CVE-2026-14125: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-14126: Incorrect security UI in UI. Reported by Google. - CVE-2026-14127: Inappropriate implementation in Printing. Reported by Google. - CVE-2026-14128: Insufficient data validation in Chrome for iOS. Reported by Google. - CVE-2026-14129: Incorrect security UI in PreviewTab. Reported by Google - CVE-2026-14130: Incorrect security UI in Omnibox. Reported by Google. - CVE-2026-14131: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-14132: Inappropriate implementation in WebXR. Reported by Google. - CVE-2026-14133: Race in History Embeddings. Reported by Google. - CVE-2026-14134: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-14135: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-14136: Incorrect security UI in Chrome for iOS. Reported by Google. - CVE-2026-14137: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-14138: Inappropriate implementation in WebAppInstalls. Reported by Google. - CVE-2026-14139: Inappropriate implementation in TabStrip. Reported by Google. - CVE-2026-14140: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-14141: Incorrect security UI in Document Picture-in-Picture. Reported by Google. - CVE-2026-14142: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-14143: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-14144: Incorrect security UI in Views. Reported by Google. - CVE-2026-14145: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14146: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14147: Inappropriate implementation in CSS. Reported by Google - CVE-2026-14415: Inappropriate implementation in V8. Reported by Google. - CVE-2026-14148: Type Confusion in CSS. Reported by Google. - CVE-2026-14149: Use after free in Audio. Reported by Google. - CVE-2026-14416: Out of bounds read in Dawn. Reported by Google. - CVE-2026-14150: Insufficient validation of untrusted input in Speech. Reported by Google. - CVE-2026-14151: Inappropriate implementation in AI. Reported by Google. - CVE-2026-14152: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-14153: Inappropriate implementation in Glic. Reported by Google. - CVE-2026-14154: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-14155: Insufficient policy enforcement in StorageAccessAPI. Reported by Google. - CVE-2026-14156: Policy bypass in StorageAccessAPI. Reported by Google. - CVE-2026-13281: Integer overflow in Mojo. Reported by Google. - CVE-2026-13282: Use after free in Payments. Reported by Google. - CVE-2026-13283: Use after free in AdFilter. Reported by Google. * d/copyright: - delete third_party/webpagereplay/. - delete tsgo (typescript compiler in Go) binary. * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: drop, merged upstream. - disable/android.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/libcpp-headers.patch: rework parts of the patch due to upstream changes. - disable/catapult.patch: refresh. - disable/tests.patch: refresh. - llvm-19/clang19.patch: refresh. - trixie/gn-expand-dir-allowlist.patch: refresh. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - i386/support-i386.patch: refresh. - upstream/sysroot.patch: add a new build fix pulled from upstream. - upstream/ar-path1.patch, upstream/ar-path2.patch: add two more vendoring-related build fixes from upstream. - trixie/gn-additional-outputs.patch: add patch to partially revert usage of a newer generate-ninja feature. - llvm-19/i18n-builder-enum.patch: add a workaround for clang-19 being confused between a class declaration (with default template parameter) and definition. - llvm-19/00*-revert-v8-libm.patch: add 9 patches backing out usage of internal libc++/libm symbols; this requires a newer llvm than we have. - llvm-19/value-or.patch: work around more places where value_or() can't figure out the type of a passed init value. - trixie/node20-compat.patch: break out part of Daniel's node18-compat.patch (below) into one for trixie that also fixes nodejs 20 issues [trixie, bookworm]. - rust-1.85/std-from-utf8.patch: add workaround for str::from_utf8 added in 1.87 [trixie, bookworm]. - trixie/bindgen-boringssl.patch: add workaround for older bindgen [trixie, bookworm]. . [ Daniel Richard G. ] * d/patches: - bookworm/gn-absl.patch: Refresh [bookworm]. - bookworm/gn-funcs.patch: Zap new usage of filter_labels_include() [bookworm]. - bookworm/node18-compat.patch: Fix more cases of nodejs v18 breakage [bookworm]. - trixie/gn-module-name.patch: add more spots where the workaround is needed [trixie, bookworm]. . [ Jianfeng Liu ] * d/patches: - upstream/libyuv-loongarch-fix-row_lsx.cc-and-row_lasx.cc.patch: Fix build for libyuv loongarch64. - loongarch64/0015-ffmpeg-support-for-loongarch.patch: Refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - fixes/fix-rust-linking.patch: refresh for upstream changes - fixes/fix-breakpad-compile.patch: refresh for upstream changes - third_party/dawn-fix-ppc64le-detection.patch: refresh for upstream changes - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes chromium (149.0.7827.196-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. chromium (149.0.7827.196-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-13028: Use after free in WebGL. Reported by anonymous. - CVE-2026-13032: Use after free in WebGL. Reported by Google. - CVE-2026-13033: Out of bounds read in Blink>InterestGroups. Reported by Google. - CVE-2026-13038: Use after free in Autofill. Reported by Google. - CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials. Reported by Google. - CVE-2026-13022: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13023: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13024: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-13025: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13026: Use after free in Digital Credentials. Reported by Google. - CVE-2026-13027: Use after free in FileSystem. Reported by Google. - CVE-2026-13029: Use after free in Web Authentication. Reported by Google - CVE-2026-13030: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13031: Use after free in Blink. Reported by Google. - CVE-2026-13034: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13035: Use after free in Bluetooth. Reported by Google. - CVE-2026-13036: Use after free in Blink. Reported by Google. - CVE-2026-13037: Use after free in WebView. Reported by Google. chromium (149.0.7827.196-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-13028: Use after free in WebGL. Reported by anonymous. - CVE-2026-13032: Use after free in WebGL. Reported by Google. - CVE-2026-13033: Out of bounds read in Blink>InterestGroups. Reported by Google. - CVE-2026-13038: Use after free in Autofill. Reported by Google. - CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials. Reported by Google. - CVE-2026-13022: Inappropriate implementation in Autofill. Reported by Google. - CVE-2026-13023: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13024: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-13025: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-13026: Use after free in Digital Credentials. Reported by Google. - CVE-2026-13027: Use after free in FileSystem. Reported by Google. - CVE-2026-13029: Use after free in Web Authentication. Reported by Google - CVE-2026-13030: Uninitialized Use in GPU. Reported by Google. - CVE-2026-13031: Use after free in Blink. Reported by Google. - CVE-2026-13034: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-13035: Use after free in Bluetooth. Reported by Google. - CVE-2026-13036: Use after free in Blink. Reported by Google. - CVE-2026-13037: Use after free in WebView. Reported by Google. chromium (149.0.7827.155-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12437: Use after free in WebShare. Reported by Google. - CVE-2026-12438: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12439: Use after free in Digital Credentials. Reported by Google. - CVE-2026-12440: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12441: Use after free in File Input. Reported by Google. - CVE-2026-12442: Use after free in Passwords. Reported by Google. - CVE-2026-12443: Use after free in Web Authentication. Reported by Google - CVE-2026-12444: Out of bounds read in Chromoting. Reported by Google. - CVE-2026-12445: Use after free in Extensions. Reported by Google. - CVE-2026-12446: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-12447: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12448: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12449: Use after free in Chromoting. Reported by Google. - CVE-2026-12450: Inappropriate implementation in Media. Reported by Zhixin Tu. - CVE-2026-12451: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12452: Use after free in Downloads. Reported by Google. - CVE-2026-12453: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-12454: Race in Safe Browsing. Reported by Google. - CVE-2026-12455: Use after free in Tab Strip. Reported by Google. - CVE-2026-12456: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-12457: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-12458: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-12459: Inappropriate implementation in Serial. Reported by Google. - CVE-2026-12460: Insufficient policy enforcement in File System Access. Reported by Google. - CVE-2026-12461: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-12462: Use after free in Media. Reported by Google. - CVE-2026-12463: Inappropriate implementation in Views. Reported by Google. - CVE-2026-12464: Use after free in Browser. Reported by Google. - CVE-2026-12465: Insufficient validation of untrusted input in Metrics. Reported by Google. - CVE-2026-12466: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12467: Use after free in Extensions. Reported by Google. - CVE-2026-12468: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-12469: Uninitialized Use in GPU. Reported by Google. chromium (149.0.7827.155-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12437: Use after free in WebShare. Reported by Google. - CVE-2026-12438: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12439: Use after free in Digital Credentials. Reported by Google. - CVE-2026-12440: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12441: Use after free in File Input. Reported by Google. - CVE-2026-12442: Use after free in Passwords. Reported by Google. - CVE-2026-12443: Use after free in Web Authentication. Reported by Google - CVE-2026-12444: Out of bounds read in Chromoting. Reported by Google. - CVE-2026-12445: Use after free in Extensions. Reported by Google. - CVE-2026-12446: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-12447: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12448: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12449: Use after free in Chromoting. Reported by Google. - CVE-2026-12450: Inappropriate implementation in Media. Reported by Zhixin Tu. - CVE-2026-12451: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12452: Use after free in Downloads. Reported by Google. - CVE-2026-12453: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-12454: Race in Safe Browsing. Reported by Google. - CVE-2026-12455: Use after free in Tab Strip. Reported by Google. - CVE-2026-12456: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-12457: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-12458: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-12459: Inappropriate implementation in Serial. Reported by Google. - CVE-2026-12460: Insufficient policy enforcement in File System Access. Reported by Google. - CVE-2026-12461: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-12462: Use after free in Media. Reported by Google. - CVE-2026-12463: Inappropriate implementation in Views. Reported by Google. - CVE-2026-12464: Use after free in Browser. Reported by Google. - CVE-2026-12465: Insufficient validation of untrusted input in Metrics. Reported by Google. - CVE-2026-12466: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12467: Use after free in Extensions. Reported by Google. - CVE-2026-12468: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-12469: Uninitialized Use in GPU. Reported by Google. chromium (149.0.7827.155-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12437: Use after free in WebShare. Reported by Google. - CVE-2026-12438: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12439: Use after free in Digital Credentials. Reported by Google. - CVE-2026-12440: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12441: Use after free in File Input. Reported by Google. - CVE-2026-12442: Use after free in Passwords. Reported by Google. - CVE-2026-12443: Use after free in Web Authentication. Reported by Google - CVE-2026-12444: Out of bounds read in Chromoting. Reported by Google. - CVE-2026-12445: Use after free in Extensions. Reported by Google. - CVE-2026-12446: Insufficient data validation in Passwords. Reported by Google. - CVE-2026-12447: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12448: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-12449: Use after free in Chromoting. Reported by Google. - CVE-2026-12450: Inappropriate implementation in Media. Reported by Zhixin Tu. - CVE-2026-12451: Use after free in DigitalCredentials. Reported by Google - CVE-2026-12452: Use after free in Downloads. Reported by Google. - CVE-2026-12453: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-12454: Race in Safe Browsing. Reported by Google. - CVE-2026-12455: Use after free in Tab Strip. Reported by Google. - CVE-2026-12456: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-12457: Insufficient data validation in Extensions. Reported by Google. - CVE-2026-12458: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-12459: Inappropriate implementation in Serial. Reported by Google. - CVE-2026-12460: Insufficient policy enforcement in File System Access. Reported by Google. - CVE-2026-12461: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-12462: Use after free in Media. Reported by Google. - CVE-2026-12463: Inappropriate implementation in Views. Reported by Google. - CVE-2026-12464: Use after free in Browser. Reported by Google. - CVE-2026-12465: Insufficient validation of untrusted input in Metrics. Reported by Google. - CVE-2026-12466: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-12467: Use after free in Extensions. Reported by Google. - CVE-2026-12468: Inappropriate implementation in Updater. Reported by Google. - CVE-2026-12469: Uninitialized Use in GPU. Reported by Google. chromium (149.0.7827.114-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12007: Use after free  Core. Reported by Google. - CVE-2026-12008: Use after free  DigitalCredentials. Reported by Google. - CVE-2026-12009: Insufficient validation of untrusted input Accessibility. Reported by Google. - CVE-2026-12010: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12011: Use after free  WebMIDI. Reported by Google. - CVE-2026-12012: Use after free  Network. Reported by Google. - CVE-2026-12013: Use after free  Media. Reported by Henock Habte, Independent Security Researcher. - CVE-2026-12014: Use after free  Cast. Reported by Google. - CVE-2026-12015: Use after free  Autofill. Reported by Google. - CVE-2026-12016: Insufficient validation of untrusted input  DevTools. Reported by Google. - CVE-2026-12017: Insufficient validation of untrusted input Extensions. Reported by Google. - CVE-2026-12018: Inappropriate implementation  Mojo. Reported by Google. - CVE-2026-12019: Out of bounds write  Codecs. Reported by Google. - CVE-2026-12020: Use after free  Autofill. Reported by Google. - CVE-2026-12022: Race  Safe Browsing. Reported by Google. - CVE-2026-12023: Use after free  GPU. Reported by Google. - CVE-2026-12024: Insufficient policy enforcement  DevTools. Reported by Google. - CVE-2026-12025: Insufficient validation of untrusted input  Network. Reported by Google. - CVE-2026-12026: Out of bounds read  Video. Reported by Google. - CVE-2026-12027: Insufficient policy enforcement  Headless. Reported by Google. - CVE-2026-12028: Use after free  GPU. Reported by Google. - CVE-2026-12029: Use after free  Video. Reported by Google. - CVE-2026-12030: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12031: Inappropriate implementation  Views. Reported by Google - CVE-2026-12032: Inappropriate implementation  Passwords. Reported by Google. - CVE-2026-12033: Out of bounds read  VideoCapture. Reported by Google. - CVE-2026-12034: Insufficient validation of untrusted input  Linux Toolkit Theming. Reported by Google. - CVE-2026-12035: Use after free  Views. Reported by Google. . [ Jianfeng Liu ] * d/patches/loongarch64/0024-fix-libyuv-lsx.patch: drop due to upstream reverting to version of libyuv that doesn't have lsx issue. chromium (149.0.7827.114-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12007: Use after free  Core. Reported by Google. - CVE-2026-12008: Use after free  DigitalCredentials. Reported by Google. - CVE-2026-12009: Insufficient validation of untrusted input Accessibility. Reported by Google. - CVE-2026-12010: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12011: Use after free  WebMIDI. Reported by Google. - CVE-2026-12012: Use after free  Network. Reported by Google. - CVE-2026-12013: Use after free  Media. Reported by Henock Habte, Independent Security Researcher. - CVE-2026-12014: Use after free  Cast. Reported by Google. - CVE-2026-12015: Use after free  Autofill. Reported by Google. - CVE-2026-12016: Insufficient validation of untrusted input  DevTools. Reported by Google. - CVE-2026-12017: Insufficient validation of untrusted input Extensions. Reported by Google. - CVE-2026-12018: Inappropriate implementation  Mojo. Reported by Google. - CVE-2026-12019: Out of bounds write  Codecs. Reported by Google. - CVE-2026-12020: Use after free  Autofill. Reported by Google. - CVE-2026-12022: Race  Safe Browsing. Reported by Google. - CVE-2026-12023: Use after free  GPU. Reported by Google. - CVE-2026-12024: Insufficient policy enforcement  DevTools. Reported by Google. - CVE-2026-12025: Insufficient validation of untrusted input  Network. Reported by Google. - CVE-2026-12026: Out of bounds read  Video. Reported by Google. - CVE-2026-12027: Insufficient policy enforcement  Headless. Reported by Google. - CVE-2026-12028: Use after free  GPU. Reported by Google. - CVE-2026-12029: Use after free  Video. Reported by Google. - CVE-2026-12030: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12031: Inappropriate implementation  Views. Reported by Google - CVE-2026-12032: Inappropriate implementation  Passwords. Reported by Google. - CVE-2026-12033: Out of bounds read  VideoCapture. Reported by Google. - CVE-2026-12034: Insufficient validation of untrusted input  Linux Toolkit Theming. Reported by Google. - CVE-2026-12035: Use after free  Views. Reported by Google. . [ Jianfeng Liu ] * d/patches/loongarch64/0024-fix-libyuv-lsx.patch: drop due to upstream reverting to version of libyuv that doesn't have lsx issue. chromium (149.0.7827.114-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-12007: Use after free  Core. Reported by Google. - CVE-2026-12008: Use after free  DigitalCredentials. Reported by Google. - CVE-2026-12009: Insufficient validation of untrusted input Accessibility. Reported by Google. - CVE-2026-12010: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12011: Use after free  WebMIDI. Reported by Google. - CVE-2026-12012: Use after free  Network. Reported by Google. - CVE-2026-12013: Use after free  Media. Reported by Henock Habte, Independent Security Researcher. - CVE-2026-12014: Use after free  Cast. Reported by Google. - CVE-2026-12015: Use after free  Autofill. Reported by Google. - CVE-2026-12016: Insufficient validation of untrusted input  DevTools. Reported by Google. - CVE-2026-12017: Insufficient validation of untrusted input Extensions. Reported by Google. - CVE-2026-12018: Inappropriate implementation  Mojo. Reported by Google. - CVE-2026-12019: Out of bounds write  Codecs. Reported by Google. - CVE-2026-12020: Use after free  Autofill. Reported by Google. - CVE-2026-12022: Race  Safe Browsing. Reported by Google. - CVE-2026-12023: Use after free  GPU. Reported by Google. - CVE-2026-12024: Insufficient policy enforcement  DevTools. Reported by Google. - CVE-2026-12025: Insufficient validation of untrusted input  Network. Reported by Google. - CVE-2026-12026: Out of bounds read  Video. Reported by Google. - CVE-2026-12027: Insufficient policy enforcement  Headless. Reported by Google. - CVE-2026-12028: Use after free  GPU. Reported by Google. - CVE-2026-12029: Use after free  Video. Reported by Google. - CVE-2026-12030: Heap buffer overflow  GPU. Reported by Google. - CVE-2026-12031: Inappropriate implementation  Views. Reported by Google - CVE-2026-12032: Inappropriate implementation  Passwords. Reported by Google. - CVE-2026-12033: Out of bounds read  VideoCapture. Reported by Google. - CVE-2026-12034: Insufficient validation of untrusted input  Linux Toolkit Theming. Reported by Google. - CVE-2026-12035: Use after free  Views. Reported by Google. chromium (149.0.7827.102-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-11628: Use after free in Ozone. Reported by Google. - CVE-2026-11629: Use after free in Ozone. Reported by Google. - CVE-2026-11630: Use after free in File Input. Reported by Google. - CVE-2026-11631: Use after free in Aura. Reported by Google. - CVE-2026-11632: Use after free in TabStrip. Reported by Google. - CVE-2026-11633: Use after free in Bluetooth. Reported by Google. - CVE-2026-11634: Use after free in Gamepad. Reported by Google. - CVE-2026-11635: Use after free in Bluetooth. Reported by Google. - CVE-2026-11636: Use after free in Autofill. Reported by Google. - CVE-2026-11637: Use after free in Views. Reported by Google. - CVE-2026-11638: Use after free in Printing. Reported by Google. - CVE-2026-11639: Use after free in Compositing. Reported by Google. - CVE-2026-11640: Integer overflow in libyuv. Reported by Google. - CVE-2026-11641: Use after free in Bluetooth. Reported by Google. - CVE-2026-11642: Use after free in Web Apps. Reported by Google. - CVE-2026-11643: Use after free in Proxy. Reported by Google. - CVE-2026-11644: Use after free in Views. Reported by Google. - CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3 - CVE-2026-11646: Use after free in ViewTransitions. Reported by Quac Tran. - CVE-2026-11647: Use after free in Printing. Reported by Google. - CVE-2026-11648: Use after free in FullScreen. Reported by Mihnea Nicolau. - CVE-2026-11649: Use after free in V8. Reported by Google. - CVE-2026-11650: Use after free in V8. Reported by Google. - CVE-2026-11651: Use after free in Network. Reported by Google. - CVE-2026-11652: Use after free in Extensions. Reported by Google. - CVE-2026-11653: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11654: Use after free in CameraCapture. Reported by Google. - CVE-2026-11655: Integer overflow in Media. Reported by Google. - CVE-2026-11656: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11657: Use after free in Payments. Reported by Google. - CVE-2026-11658: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11659: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11661: Use after free in Views. Reported by Google. - CVE-2026-11662: Type Confusion in Bindings. Reported by Google. - CVE-2026-11663: Use after free in Skia. Reported by Google. - CVE-2026-11664: Use after free in Payments. Reported by Google. - CVE-2026-11665: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11666: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-11669: Integer overflow in Media. Reported by Google. - CVE-2026-11670: Use after free in PDF. Reported by Google. - CVE-2026-11671: Use after free in Navigation. Reported by Google. - CVE-2026-11672: Out of bounds write in GPU. Reported by Google. - CVE-2026-11673: Use after free in InterestGroups. Reported by Google. - CVE-2026-11674: Use after free in Guest View. Reported by Google. - CVE-2026-11675: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11676: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11677: Race in Network. Reported by Google. - CVE-2026-11678: Integer overflow in libyuv. Reported by Google. - CVE-2026-11679: Use after free in Codecs. Reported by Google. - CVE-2026-11680: Use after free in Media. Reported by Google. - CVE-2026-11681: Use after free in Ozone. Reported by Google. - CVE-2026-11682: Insufficient validation of untrusted input in Views. Reported by Google. - CVE-2026-11683: Use after free in WebCodecs. Reported by Google. - CVE-2026-11684: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-11685: Insufficient data validation in MediaCapture. Reported by Google. - CVE-2026-11686: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11687: Use after free in Dawn. Reported by Google. - CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google. - CVE-2026-11689: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-11690: Out of bounds read and write in Media. Reported by Google. - CVE-2026-11691: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11692: Use after free in Read Anything. Reported by Google. - CVE-2026-11693: Inappropriate implementation in Plugins. Reported by Google. - CVE-2026-11694: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11695: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11696: Uninitialized Use in Video. Reported by Google. - CVE-2026-11697: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11698: Use after free in Bluetooth. Reported by Google. - CVE-2026-11699: Use after free in Bluetooth. Reported by Google. - CVE-2026-11700: Use after free in Tracing. Reported by Google. - CVE-2026-11701: Insufficient validation of untrusted input in Guest View. Reported by Google. * d/patches: - fixes/arm-logging.patch: add patch to hopefully fix build failure on arm*. - loongarch64/0024-fix-libyuv-lsx.patch: refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes - core/baseline-isa-3-0.patch: refresh chromium (149.0.7827.102-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-11628: Use after free in Ozone. Reported by Google. - CVE-2026-11629: Use after free in Ozone. Reported by Google. - CVE-2026-11630: Use after free in File Input. Reported by Google. - CVE-2026-11631: Use after free in Aura. Reported by Google. - CVE-2026-11632: Use after free in TabStrip. Reported by Google. - CVE-2026-11633: Use after free in Bluetooth. Reported by Google. - CVE-2026-11634: Use after free in Gamepad. Reported by Google. - CVE-2026-11635: Use after free in Bluetooth. Reported by Google. - CVE-2026-11636: Use after free in Autofill. Reported by Google. - CVE-2026-11637: Use after free in Views. Reported by Google. - CVE-2026-11638: Use after free in Printing. Reported by Google. - CVE-2026-11639: Use after free in Compositing. Reported by Google. - CVE-2026-11640: Integer overflow in libyuv. Reported by Google. - CVE-2026-11641: Use after free in Bluetooth. Reported by Google. - CVE-2026-11642: Use after free in Web Apps. Reported by Google. - CVE-2026-11643: Use after free in Proxy. Reported by Google. - CVE-2026-11644: Use after free in Views. Reported by Google. - CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3 - CVE-2026-11646: Use after free in ViewTransitions. Reported by Quac Tran. - CVE-2026-11647: Use after free in Printing. Reported by Google. - CVE-2026-11648: Use after free in FullScreen. Reported by Mihnea Nicolau. - CVE-2026-11649: Use after free in V8. Reported by Google. - CVE-2026-11650: Use after free in V8. Reported by Google. - CVE-2026-11651: Use after free in Network. Reported by Google. - CVE-2026-11652: Use after free in Extensions. Reported by Google. - CVE-2026-11653: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11654: Use after free in CameraCapture. Reported by Google. - CVE-2026-11655: Integer overflow in Media. Reported by Google. - CVE-2026-11656: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11657: Use after free in Payments. Reported by Google. - CVE-2026-11658: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11659: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11661: Use after free in Views. Reported by Google. - CVE-2026-11662: Type Confusion in Bindings. Reported by Google. - CVE-2026-11663: Use after free in Skia. Reported by Google. - CVE-2026-11664: Use after free in Payments. Reported by Google. - CVE-2026-11665: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11666: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-11669: Integer overflow in Media. Reported by Google. - CVE-2026-11670: Use after free in PDF. Reported by Google. - CVE-2026-11671: Use after free in Navigation. Reported by Google. - CVE-2026-11672: Out of bounds write in GPU. Reported by Google. - CVE-2026-11673: Use after free in InterestGroups. Reported by Google. - CVE-2026-11674: Use after free in Guest View. Reported by Google. - CVE-2026-11675: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11676: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11677: Race in Network. Reported by Google. - CVE-2026-11678: Integer overflow in libyuv. Reported by Google. - CVE-2026-11679: Use after free in Codecs. Reported by Google. - CVE-2026-11680: Use after free in Media. Reported by Google. - CVE-2026-11681: Use after free in Ozone. Reported by Google. - CVE-2026-11682: Insufficient validation of untrusted input in Views. Reported by Google. - CVE-2026-11683: Use after free in WebCodecs. Reported by Google. - CVE-2026-11684: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-11685: Insufficient data validation in MediaCapture. Reported by Google. - CVE-2026-11686: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11687: Use after free in Dawn. Reported by Google. - CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google. - CVE-2026-11689: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-11690: Out of bounds read and write in Media. Reported by Google. - CVE-2026-11691: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11692: Use after free in Read Anything. Reported by Google. - CVE-2026-11693: Inappropriate implementation in Plugins. Reported by Google. - CVE-2026-11694: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11695: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11696: Uninitialized Use in Video. Reported by Google. - CVE-2026-11697: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11698: Use after free in Bluetooth. Reported by Google. - CVE-2026-11699: Use after free in Bluetooth. Reported by Google. - CVE-2026-11700: Use after free in Tracing. Reported by Google. - CVE-2026-11701: Insufficient validation of untrusted input in Guest View. Reported by Google. * d/patches: - fixes/arm-logging.patch: add patch to hopefully fix build failure on arm*. - loongarch64/0024-fix-libyuv-lsx.patch: refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes - core/baseline-isa-3-0.patch: refresh chromium (149.0.7827.102-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-11628: Use after free in Ozone. Reported by Google. - CVE-2026-11629: Use after free in Ozone. Reported by Google. - CVE-2026-11630: Use after free in File Input. Reported by Google. - CVE-2026-11631: Use after free in Aura. Reported by Google. - CVE-2026-11632: Use after free in TabStrip. Reported by Google. - CVE-2026-11633: Use after free in Bluetooth. Reported by Google. - CVE-2026-11634: Use after free in Gamepad. Reported by Google. - CVE-2026-11635: Use after free in Bluetooth. Reported by Google. - CVE-2026-11636: Use after free in Autofill. Reported by Google. - CVE-2026-11637: Use after free in Views. Reported by Google. - CVE-2026-11638: Use after free in Printing. Reported by Google. - CVE-2026-11639: Use after free in Compositing. Reported by Google. - CVE-2026-11640: Integer overflow in libyuv. Reported by Google. - CVE-2026-11641: Use after free in Bluetooth. Reported by Google. - CVE-2026-11642: Use after free in Web Apps. Reported by Google. - CVE-2026-11643: Use after free in Proxy. Reported by Google. - CVE-2026-11644: Use after free in Views. Reported by Google. - CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3 - CVE-2026-11646: Use after free in ViewTransitions. Reported by Quac Tran. - CVE-2026-11647: Use after free in Printing. Reported by Google. - CVE-2026-11648: Use after free in FullScreen. Reported by Mihnea Nicolau. - CVE-2026-11649: Use after free in V8. Reported by Google. - CVE-2026-11650: Use after free in V8. Reported by Google. - CVE-2026-11651: Use after free in Network. Reported by Google. - CVE-2026-11652: Use after free in Extensions. Reported by Google. - CVE-2026-11653: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11654: Use after free in CameraCapture. Reported by Google. - CVE-2026-11655: Integer overflow in Media. Reported by Google. - CVE-2026-11656: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11657: Use after free in Payments. Reported by Google. - CVE-2026-11658: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11659: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11661: Use after free in Views. Reported by Google. - CVE-2026-11662: Type Confusion in Bindings. Reported by Google. - CVE-2026-11663: Use after free in Skia. Reported by Google. - CVE-2026-11664: Use after free in Payments. Reported by Google. - CVE-2026-11665: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11666: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-11669: Integer overflow in Media. Reported by Google. - CVE-2026-11670: Use after free in PDF. Reported by Google. - CVE-2026-11671: Use after free in Navigation. Reported by Google. - CVE-2026-11672: Out of bounds write in GPU. Reported by Google. - CVE-2026-11673: Use after free in InterestGroups. Reported by Google. - CVE-2026-11674: Use after free in Guest View. Reported by Google. - CVE-2026-11675: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11676: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11677: Race in Network. Reported by Google. - CVE-2026-11678: Integer overflow in libyuv. Reported by Google. - CVE-2026-11679: Use after free in Codecs. Reported by Google. - CVE-2026-11680: Use after free in Media. Reported by Google. - CVE-2026-11681: Use after free in Ozone. Reported by Google. - CVE-2026-11682: Insufficient validation of untrusted input in Views. Reported by Google. - CVE-2026-11683: Use after free in WebCodecs. Reported by Google. - CVE-2026-11684: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-11685: Insufficient data validation in MediaCapture. Reported by Google. - CVE-2026-11686: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11687: Use after free in Dawn. Reported by Google. - CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google. - CVE-2026-11689: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-11690: Out of bounds read and write in Media. Reported by Google. - CVE-2026-11691: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11692: Use after free in Read Anything. Reported by Google. - CVE-2026-11693: Inappropriate implementation in Plugins. Reported by Google. - CVE-2026-11694: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11695: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11696: Uninitialized Use in Video. Reported by Google. - CVE-2026-11697: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11698: Use after free in Bluetooth. Reported by Google. - CVE-2026-11699: Use after free in Bluetooth. Reported by Google. - CVE-2026-11700: Use after free in Tracing. Reported by Google. - CVE-2026-11701: Insufficient validation of untrusted input in Guest View. Reported by Google. * d/patches: - fixes/arm-logging.patch: add patch to hopefully fix build failure on arm*. - loongarch64/0024-fix-libyuv-lsx.patch: refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes - core/baseline-isa-3-0.patch: refresh chromium (149.0.7827.53-1) unstable; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-10881: Out of bounds read and write in ANGLE. Reported by Anonymous. - CVE-2026-10882: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10883: Out of bounds write in ANGLE. Reported by Maher Azzouzi. - CVE-2026-10884: Use after free in Chromecast. Reported by Google. - CVE-2026-10885: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10886: Use after free in FileSystem. Reported by Andrew Boni. - CVE-2026-10887: Use after free in Chromoting. Reported by Google. - CVE-2026-10888: Use after free in Cast Streaming. Reported by Google. - CVE-2026-10889: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10890: Use after free in Cast. Reported by Google. - CVE-2026-10891: Use after free in GFX. Reported by Google. - CVE-2026-10892: Out of bounds write in GPU. Reported by Google. - CVE-2026-10893: Use after free in Chromoting. Reported by Google. - CVE-2026-10894: Use after free in Printing. Reported by Google. - CVE-2026-10895: Use after free in Ozone. Reported by Google. - CVE-2026-10896: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10897: Out of bounds write in GPU. Reported by Google. - CVE-2026-10898: Stack buffer overflow in GPU. Reported by Google. - CVE-2026-10899: Use after free in Ozone. Reported by Google. - CVE-2026-10900: Use after free in Passwords. Reported by Google. - CVE-2026-10901: Use after free in Passwords. Reported by Google. - CVE-2026-10902: Use after free in Ozone. Reported by Google. - CVE-2026-10903: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10904: Inappropriate implementation in V8. Reported by 303f06e3 - CVE-2026-10905: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10906: Use after free in WebAuthentication. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10907: Out of bounds write in ANGLE. Reported by sweetchip. - CVE-2026-10908: Use after free in FullScreen. Reported by Mihnea Nicolau - CVE-2026-10909: Use after free in Dawn. Reported by whiter@xuanyusec. - CVE-2026-10910: Type Confusion in V8. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10911: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10912: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-10913: Use after free in ANGLE. Reported by Google. - CVE-2026-10914: Use after free in ANGLE. Reported by Google. - CVE-2026-10915: Use after free in Core. Reported by Google. - CVE-2026-10916: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10917: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10918: Use after free in Viz. Reported by Google. - CVE-2026-10919: Use after free in ANGLE. Reported by Google. - CVE-2026-10920: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-10921: Integer overflow in Dawn. Reported by Google. - CVE-2026-10922: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10923: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10924: Integer overflow in Chromecast. Reported by Google. - CVE-2026-10925: Out of bounds write in Skia. Reported by Google. - CVE-2026-10926: Use after free in Cast. Reported by Google. - CVE-2026-10927: Out of bounds read in Dawn. Reported by Google. - CVE-2026-10928: Script injection in Headless. Reported by Google. - CVE-2026-10929: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-10930: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10931: Use after free in FileSystem. Reported by asjidkalam. - CVE-2026-10932: Use after free in UI. Reported by Google. - CVE-2026-10933: Use after free in Audio. Reported by Google. - CVE-2026-10934: Use after free in Autofill. Reported by Google. - CVE-2026-10935: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10936: Type Confusion in V8. Reported by Google. - CVE-2026-10937: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-10938: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-10939: Use after free in WebRTC. Reported by Google. - CVE-2026-10940: Race in Codecs. Reported by Google. - CVE-2026-10941: Out of bounds memory access in Skia. Reported by Google. - CVE-2026-10942: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-10943: Use after free in WebRTC. Reported by Rayyan Kadar. - CVE-2026-10944: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10945: Use after free in PDF. Reported by Google. - CVE-2026-10946: Heap buffer overflow in Media. Reported by Google. - CVE-2026-10947: Use after free in WebRTC. Reported by Google. - CVE-2026-10948: Use after free in WebRTC. Reported by Google. - CVE-2026-10949: Heap buffer overflow in Video. Reported by Google. - CVE-2026-10950: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10951: Use after free in Autofill. Reported by Google. - CVE-2026-10952: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10953: Use after free in Core. Reported by Google. - CVE-2026-10954: Use after free in Actor. Reported by Google. - CVE-2026-10955: Type Confusion in ANGLE. Reported by Google. - CVE-2026-10956: Use after free in MimeHandlerView. Reported by Google. - CVE-2026-10957: Use after free in Glic. Reported by Google. - CVE-2026-10958: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10959: Use after free in Input. Reported by Google. - CVE-2026-10960: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-10961: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10962: Type Confusion in Media. Reported by Google. - CVE-2026-10963: Integer overflow in V8. Reported by Google. - CVE-2026-10964: Integer overflow in V8. Reported by Google. - CVE-2026-10965: Integer overflow in DevTools. Reported by Google. - CVE-2026-10966: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10967: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-10968: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10969: Insufficient validation of untrusted input in Extensions Reported by Google. - CVE-2026-10970: Insufficient validation of untrusted input in InterestGroups. Reported by Google. - CVE-2026-10971: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-10972: Use after free in Ozone. Reported by Google. - CVE-2026-10973: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10974: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-10975: Use after free in WebRTC. Reported by Google. - CVE-2026-10976: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10977: Uninitialized Use in Skia. Reported by Google. - CVE-2026-10978: Use after free in Chromoting. Reported by Google. - CVE-2026-10979: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10980: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10981: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10982: Use after free in WebXR. Reported by Google. - CVE-2026-10983: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10984: Inappropriate implementation in Accessibility. Reported by Google. - CVE-2026-10985: Out of bounds read in Skia. Reported by Google. - CVE-2026-10986: Integer overflow in Media. Reported by Google. - CVE-2026-10987: Integer overflow in V8. Reported by Google. - CVE-2026-10988: Use after free in Views. Reported by Google. - CVE-2026-10989: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10990: Use after free in Glic. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10991: Use after free in V8. Reported by Alisa Esage (@alisaesage). - CVE-2026-10992: Insufficient data validation in Animation. Reported by heapracer (@heapracer). - CVE-2026-10993: Heap buffer overflow in Skia. Reported by M. Fauzan Wijaya (Gh05t666nero). - CVE-2026-10994: Uninitialized Use in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10995: Heap buffer overflow in TabStrip. Reported by Sven Dysthe (@svn-dys). - CVE-2026-10996: Inappropriate implementation in Workers. Reported by Jayateertha Guruprasad. - CVE-2026-10997: Insufficient policy enforcement in Extensions. Reported by djallalakira@gmail.com. - CVE-2026-10998: Out of bounds read in Media. Reported by Ameen Basha M K - CVE-2026-10999: Out of bounds memory access in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11000: Use after free in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11001: Incorrect security UI in Payments. Reported by Google. - CVE-2026-11002: Use after free in Autofill. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11003: Use after free in WebRTC. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. - CVE-2026-11004: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11005: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11006: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11007: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-11008: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11009: Use after free in USB. Reported by Google. - CVE-2026-11010: Use after free in WebShare. Reported by David Sievers. - CVE-2026-11011: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11012: Use after free in Serial. Reported by Google. - CVE-2026-11013: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11014: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11015: Out of bounds read in WebGPU. Reported by Yuma Takeuchi. - CVE-2026-11016: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11017: Inappropriate implementation in Link Preview. Reported by Google. - CVE-2026-11018: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11019: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11020: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11021: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11022: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11023: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11024: Stack buffer overflow in Skia. Reported by Google. - CVE-2026-11025: Insufficient policy enforcement in Navigation. Reported by Google. - CVE-2026-11026: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11027: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-11028: Use after free in Media. Reported by Google. - CVE-2026-11029: Insufficient validation of untrusted input in Drag and Drop. Reported by Google. - CVE-2026-11030: Use after free in Network. Reported by Google. - CVE-2026-11031: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11032: Insufficient data validation in Password Manager. Reported by Google. - CVE-2026-11033: Uninitialized Use in WebML. Reported by Google. - CVE-2026-11034: Insufficient validation of untrusted input in Tab Group Sync. Reported by Google. - CVE-2026-11035: Insufficient validation of untrusted input in Custom Tabs. Reported by Google. - CVE-2026-11036: Inappropriate implementation in DOM. Reported by Google - CVE-2026-11037: Out of bounds write in Codecs. Reported by Google. - CVE-2026-11038: Insufficient validation of untrusted input in Subresource Integrity. Reported by Google. - CVE-2026-11039: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11040: Use after free in ANGLE. Reported by Google. - CVE-2026-11041: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11042: Use after free in Views. Reported by Google. - CVE-2026-11043: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-11044: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11045: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11046: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11047: Insufficient validation of untrusted input in Base. Reported by Google. - CVE-2026-11048: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11049: Use after free in Password Manager. Reported by Google. - CVE-2026-11050: Use after free in V8. Reported by Google. - CVE-2026-11051: Out of bounds read in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11052: Type Confusion in GPU. Reported by Google. - CVE-2026-11053: VULNERABILITY in WebRTC. Reported by Google. - CVE-2026-11054: Use after free in WebRTC. Reported by Google. - CVE-2026-11055: Use after free in ANGLE. Reported by Google. - CVE-2026-11056: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-11057: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11058: Integer overflow in CredentialProvider. Reported by Google. - CVE-2026-11059: Use after free in Blink. Reported by Google. - CVE-2026-11060: Use after free in Media. Reported by Google. - CVE-2026-11061: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11062: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11063: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-11064: Uninitialized Use in GPU. Reported by Google. - CVE-2026-11065: Use after free in ANGLE. Reported by Google. - CVE-2026-11066: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11067: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11068: Use after free in WebSockets. Reported by Google. - CVE-2026-11069: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11070: Insufficient validation of untrusted input in Chromoting Reported by Google. - CVE-2026-11071: Use after free in Base. Reported by Google. - CVE-2026-11072: Use after free in WebView. Reported by Google. - CVE-2026-11073: Use after free in WebGL. Reported by Google. - CVE-2026-11074: Use after free in WebRTC. Reported by boboliverfrancishoward@gmail.com. - CVE-2026-11075: Out of bounds read in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-11076: Type Confusion in CSS. Reported by Google. - CVE-2026-11077: Out of bounds read in Dawn. Reported by Anonymous. - CVE-2026-11078: Insufficient validation of untrusted input in FileSystem. Reported by Eran Rom of Palo Alto Networks. - CVE-2026-11079: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11080: Use after free in WebView. Reported by Google. - CVE-2026-11081: Policy bypass in Canvas. Reported by Google. - CVE-2026-11082: Use after free in GPU. Reported by Google. - CVE-2026-11083: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11084: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11085: Integer overflow in GPU. Reported by Google. - CVE-2026-11086: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11087: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11088: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11089: Uninitialized Use in Media. Reported by Google. - CVE-2026-11090: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11091: Inappropriate implementation in Dawn. Reported by Google - CVE-2026-11092: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11093: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-11094: Use after free in Codecs. Reported by Google. - CVE-2026-11095: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11096: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11097: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11098: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11099: Vulnerability in Skia. Reported by Google. - CVE-2026-11100: Use after free in File Input. Reported by Google. - CVE-2026-11101: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11102: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-11103: Inappropriate implementation in Installer. Reported by Google. - CVE-2026-11104: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11105: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-11106: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11107: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-11108: Inappropriate implementation in NFC. Reported by Google - CVE-2026-11109: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11110: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11111: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11112: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11113: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11114: Use after free in Device Trust. Reported by Google. - CVE-2026-11115: Use after free in Updater. Reported by Google. - CVE-2026-11116: Use after free in Chromoting. Reported by Google. - CVE-2026-11117: Use after free in Views. Reported by Google. - CVE-2026-11118: Use after free in WebRTC. Reported by Google. - CVE-2026-11119: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11120: Insufficient validation of untrusted input in Enterprise Reporting. Reported by Google. - CVE-2026-11121: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11122: Inappropriate implementation in Keyboard. Reported by Google. - CVE-2026-11123: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11124: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-11125: Use after free in Compositing. Reported by Google. - CVE-2026-11126: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11127: Inappropriate implementation in WebAPKs. Reported by Google. - CVE-2026-11128: Insufficient validation of untrusted input in Web Share. Reported by Google. - CVE-2026-11129: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11130: Use after free in Media. Reported by Google. - CVE-2026-11131: Use after free in Autofill. Reported by Google. - CVE-2026-11132: Policy bypass in Paint. Reported by Google. - CVE-2026-11133: Insufficient policy enforcement in Paint. Reported by Google. - CVE-2026-11134: Insufficient data validation in Media. Reported by Google. - CVE-2026-11135: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-11136: Use after free in Canvas. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-11137: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11138: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11139: Policy bypass in Paint. Reported by Google. - CVE-2026-11140: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-11141: Uninitialized Use in Audio. Reported by Google. - CVE-2026-11142: Policy bypass in Paint. Reported by Google. - CVE-2026-11143: Heap buffer overflow in Extensions. Reported by Google. - CVE-2026-11144: Use after free in Media. Reported by Google. - CVE-2026-11145: Race in Geolocation. Reported by Google. - CVE-2026-11146: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11147: Use after free in WebML. Reported by Google. - CVE-2026-11148: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11149: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11150: Inappropriate implementation in XML. Reported by Google - CVE-2026-11151: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11152: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-11153: Side-channel information leakage in Forms. Reported by Google. - CVE-2026-11154: Use after free in Dawn. Reported by Google. - CVE-2026-11155: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11156: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11157: Script injection in Accessibility. Reported by Google. - CVE-2026-11158: Insufficient validation of untrusted input in Downloads. Reported by Google. - CVE-2026-11159: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11160: Out of bounds read in Input. Reported by Google. - CVE-2026-11161: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-11162: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11163: Use after free in Messages. Reported by Google. - CVE-2026-11164: Use after free in Blink. Reported by Google. - CVE-2026-11165: Use after free in WebMIDI. Reported by Google. - CVE-2026-11166: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11167: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11168: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11169: Inappropriate implementation in XML. Reported by Google - CVE-2026-11170: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-11171: Integer overflow in Blink. Reported by Google. - CVE-2026-11172: Incorrect security UI in Contact Picker. Reported by mochazril.ti@gmail.com. - CVE-2026-11173: Out of bounds write in V8. Reported by Google. - CVE-2026-11174: Insufficient policy enforcement in Site Isolation. Reported by Google. - CVE-2026-11175: Incorrect security UI in Messages. Reported by Google. - CVE-2026-11176: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11177: Use after free in Omnibox. Reported by gevakun. - CVE-2026-11178: Policy bypass in WebView. Reported by Google. - CVE-2026-11179: Inappropriate implementation in ORB. Reported by Google - CVE-2026-11180: Policy bypass in SVG. Reported by Google. - CVE-2026-11181: Inappropriate implementation in Media Session. Reported by Google. - CVE-2026-11182: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11183: Out of bounds read in GWP-ASan. Reported by Google. - CVE-2026-11184: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11185: Use after free in V8. Reported by Google. - CVE-2026-11186: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11187: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-11188: Use after free in USB. Reported by Google. - CVE-2026-11189: Insufficient validation of untrusted input in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-11190: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11191: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-11192: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11193: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11194: Inappropriate implementation in Network. Reported by Google. - CVE-2026-11195: Inappropriate implementation in MHTML. Reported by Google. - CVE-2026-11196: Type Confusion in XML. Reported by Google. - CVE-2026-11197: Insufficient policy enforcement in Workers. Reported by VEZEKA. - CVE-2026-11198: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11199: Insufficient validation of untrusted input in WebRTC. Reported by Google. - CVE-2026-11200: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-11201: Use after free in ServiceWorker. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11202: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11203: Policy bypass in GPU. Reported by Google. - CVE-2026-11204: Inappropriate implementation in Signin. Reported by Google. - CVE-2026-11205: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11206: Policy bypass in ServiceWorker. Reported by David Bors, Catalin Iovita. - CVE-2026-11207: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-11208: Use after free in Codecs. Reported by Google. - CVE-2026-11209: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-11210: Insufficient policy enforcement in Safe Browsing. Reported by Google. - CVE-2026-11211: Integer overflow in V8. Reported by Google. - CVE-2026-11212: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11213: Insufficient validation of untrusted input in Reading Mode. Reported by Google. - CVE-2026-11214: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-11215: Inappropriate implementation in Cronet. Reported by Google. - CVE-2026-11216: Incorrect security UI in File Input. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-11217: Insufficient policy enforcement in Fenced Frames. Reported by Tianyi Hu. - CVE-2026-11218: Inappropriate implementation in PlatformIntegration. Reported by Han Liu (Xi’an Jiaotong University, School of Cyber Science and Engineering). - CVE-2026-11219: Insufficient data validation in Navigation. Reported by Bharat (mrnoob) . - CVE-2026-11220: Insufficient validation of untrusted input in Navigation. Reported by Tianyi Hu. - CVE-2026-11221: Insufficient validation of untrusted input in PointerLock. Reported by mihalis.haatainen@bountyy.fi. - CVE-2026-11222: Incorrect security UI in Tab Strip. Reported by Hafiizh - CVE-2026-11223: Insufficient validation of untrusted input in Network. Reported by Tianyi Hu. - CVE-2026-11224: Use after free in Chromoting. Reported by David Bors, Catalin Iovita. - CVE-2026-11225: Incorrect security UI in WebUI. Reported by Tareq Ahamed - itztrq. - CVE-2026-11226: Insufficient policy enforcement in PreviewTab. Reported by Google. - CVE-2026-11227: Incorrect security UI in Tab Hover Cards. Reported by Hafiizh. - CVE-2026-11228: Incorrect security UI in File Input. Reported by Umar Farooq . - CVE-2026-11229: Insufficient policy enforcement in Enterprise. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-11230: Use after free in Extensions. Reported by Google. - CVE-2026-11231: Inappropriate implementation in Safe Browsing. Reported by Google. - CVE-2026-11232: Inappropriate implementation in TabGroups. Reported by Google. - CVE-2026-11233: Insufficient validation of untrusted input in FoldableAPIs. Reported by Google. - CVE-2026-11234: Insufficient policy enforcement in FoldableAPIs. Reported by Google. - CVE-2026-11235: Insufficient validation of untrusted input in Compositing. Reported by Google. - CVE-2026-11236: Insufficient policy enforcement in Web Bluetooth. Reported by Google. - CVE-2026-11237: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11238: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11239: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11240: Insufficient validation of untrusted input in Loader. Reported by Google. - CVE-2026-11241: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11242: Insufficient validation of untrusted input in Plugins. Reported by Google. - CVE-2026-11243: Incorrect security UI in Downloads. Reported by Google. - CVE-2026-11244: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-11245: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11246: Insufficient validation of untrusted input in IndexedDB. Reported by Google. - CVE-2026-11247: Insufficient policy enforcement in CustomTabs. Reported by Google. - CVE-2026-11248: Policy bypass in Google Lens. Reported by Google. - CVE-2026-11249: Use after free in Network. Reported by Google. - CVE-2026-11250: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11251: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11252: Policy bypass in Content Settings. Reported by Google. - CVE-2026-11253: Race in Permissions. Reported by Google. - CVE-2026-11254: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11255: Insufficient validation of untrusted input in Storage Access API. Reported by Google. - CVE-2026-11256: Out of bounds read in GPU. Reported by Google. - CVE-2026-11257: Inappropriate implementation in Browser. Reported by Google. - CVE-2026-11258: Inappropriate implementation in File System Access. Reported by Google. - CVE-2026-11259: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11260: Policy bypass in Permissions. Reported by Google. - CVE-2026-11261: Insufficient validation of untrusted input in PDF. Reported by Google. - CVE-2026-11262: Use after free in TabStrip. Reported by Google. - CVE-2026-11263: Insufficient policy enforcement in WebAuthentication. Reported by Google. - CVE-2026-11264: Policy bypass in Content Security Policy. Reported by Google. - CVE-2026-11265: Insufficient data validation in Autofill. Reported by Google. - CVE-2026-11266: Policy bypass in SafeBrowsing. Reported by Google. - CVE-2026-11267: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11268: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11269: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11270: Inappropriate implementation in UI. Reported by Google. - CVE-2026-11271: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-11272: Insufficient validation of untrusted input in Reading List. Reported by Google. - CVE-2026-11273: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-11274: Inappropriate implementation in DOM Distiller. Reported by Google. - CVE-2026-11275: Insufficient policy enforcement in Page Info. Reported by Google. - CVE-2026-11276: Inappropriate implementation in Cast. Reported by Google - CVE-2026-11277: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11278: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-11279: Out of bounds read in DevTools. Reported by Google. - CVE-2026-11280: Insufficient validation of untrusted input in Signin. Reported by Google. - CVE-2026-11281: Integer overflow in Chromoting. Reported by Google. - CVE-2026-11282: Policy bypass in Sandbox. Reported by Google. - CVE-2026-11283: Policy bypass in Shortcuts. Reported by Google. - CVE-2026-11284: Side-channel information leakage in PerformanceAPIs. Reported by Google. - CVE-2026-11285: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11286: Insufficient validation of untrusted input in Wallet. Reported by Google. - CVE-2026-11287: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-11288: Policy bypass in CSS. Reported by Google. - CVE-2026-11289: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-11290: Integer overflow in WebView. Reported by Google. - CVE-2026-11291: Policy bypass in Android Autofill. Reported by Google. - CVE-2026-11292: Policy bypass in Blink. Reported by Google. - CVE-2026-11293: Use after free in Input. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11294: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11295: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11296: Inappropriate implementation in ImageCapture. Reported by Google. - CVE-2026-11297: Insufficient validation of untrusted input in Reader Mode. Reported by Google. - CVE-2026-11298: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11299: Out of bounds read in Fonts. Reported by sharadboni@gmail.com. - CVE-2026-11300: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11301: Out of bounds read in LiveCaption. Reported by Google. - CVE-2026-11302: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11303: Use after free in PDFium. Reported by Google. - CVE-2026-11304: Use after free in PDFium. Reported by Google. - CVE-2026-11305: Use after free in PDFium. Reported by Google. - CVE-2026-11306: Use after free in PDFium. Reported by Google. - CVE-2026-11307: Use after free in PDFium. Reported by Google. - CVE-2026-11308: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11309: Insufficient policy enforcement in History. Reported by Google. * d/patches: - upstream/turboshaft.patch: drop, merged upstream. - fixes/enable-widevine-on-arm64-linux-platform.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/armhf-icf.patch: refresh. - disable/catapult.patch: refresh. - llvm-19/clang19.patch: add more bits to drop unsupported warning and diagnostic flags. - trixie/gn-inputs.patch: drop portion of patch due to upstream changes. - trixie/gn-inputs2.patch: refresh. - bookworm/bindgen.patch: drop due to upgraded bindgen [sid, trixie]. - bookworm/gn-allowlist.patch: drop due to upgraded generate-ninja [sid, trixie]. - llvm-22/ignore-for-ubsan.patch: update for upstream reworking. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/disable-privacy-sandbox.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - trixie/gn-expand-dir-allowlist.patch: add new patch to work around older generate-ninja. - fixes/libcpp-headers.patch: update for upstream changes reworking how this was done. - disable/libei.patch: add patch to fix build failure due to libei removal. - llvm-19/value-or.patch: add another clang-19 build workaround. - llvm-19/const-profile.patch: add patch to work around const-related clang-19 build failure. - rust-1.85/file_as_c_str.patch: rework patch due to upstream changes [trixie, bookworm]. - rust-1.85/zip8.patch: refresh [trixie, bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. * d/copyright: properly delete harfbuzz (due to harfbuzz-ng rename). . [ Daniel Richard G. ] * d/patches: - bookworm/bindgen.patch: Refresh [bookworm]. - bookworm/gn-absl.patch: Update absl_source_set("no_destructor") with visibility directive, and refresh [bookworm]. - rust-1.85/mojo-features.patch: Add feature to new Rust source file [trixie, bookworm]. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch: refresh for upstream changes - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - third_party/0005-blink-add-audio-vector-support.patch: refresh for upstream changes - libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: regenerate - third_party/0003-third_party-libvpx-Add-ppc64-generated-config.patch: regenerate - third_party/0001-third_party-libvpx-Disable-vsx-on-ppc64.patch: ensure VSX is disabled until VP9 artifacting can be fixed upstream . [ Jianfeng Liu ] * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: This is a patch aleady merged to v150 to fix build on loongarch64. - loongarch64/0024-fix-libyuv-lsx.patch: Upstream has bumped the version of libyuv and it has broken build with lsx enabled on loongarch64. Add a patch to fix the build first. chromium (149.0.7827.53-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-10881: Out of bounds read and write in ANGLE. Reported by Anonymous. - CVE-2026-10882: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10883: Out of bounds write in ANGLE. Reported by Maher Azzouzi. - CVE-2026-10884: Use after free in Chromecast. Reported by Google. - CVE-2026-10885: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10886: Use after free in FileSystem. Reported by Andrew Boni. - CVE-2026-10887: Use after free in Chromoting. Reported by Google. - CVE-2026-10888: Use after free in Cast Streaming. Reported by Google. - CVE-2026-10889: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10890: Use after free in Cast. Reported by Google. - CVE-2026-10891: Use after free in GFX. Reported by Google. - CVE-2026-10892: Out of bounds write in GPU. Reported by Google. - CVE-2026-10893: Use after free in Chromoting. Reported by Google. - CVE-2026-10894: Use after free in Printing. Reported by Google. - CVE-2026-10895: Use after free in Ozone. Reported by Google. - CVE-2026-10896: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10897: Out of bounds write in GPU. Reported by Google. - CVE-2026-10898: Stack buffer overflow in GPU. Reported by Google. - CVE-2026-10899: Use after free in Ozone. Reported by Google. - CVE-2026-10900: Use after free in Passwords. Reported by Google. - CVE-2026-10901: Use after free in Passwords. Reported by Google. - CVE-2026-10902: Use after free in Ozone. Reported by Google. - CVE-2026-10903: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10904: Inappropriate implementation in V8. Reported by 303f06e3 - CVE-2026-10905: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10906: Use after free in WebAuthentication. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10907: Out of bounds write in ANGLE. Reported by sweetchip. - CVE-2026-10908: Use after free in FullScreen. Reported by Mihnea Nicolau - CVE-2026-10909: Use after free in Dawn. Reported by whiter@xuanyusec. - CVE-2026-10910: Type Confusion in V8. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10911: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10912: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-10913: Use after free in ANGLE. Reported by Google. - CVE-2026-10914: Use after free in ANGLE. Reported by Google. - CVE-2026-10915: Use after free in Core. Reported by Google. - CVE-2026-10916: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10917: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10918: Use after free in Viz. Reported by Google. - CVE-2026-10919: Use after free in ANGLE. Reported by Google. - CVE-2026-10920: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-10921: Integer overflow in Dawn. Reported by Google. - CVE-2026-10922: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10923: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10924: Integer overflow in Chromecast. Reported by Google. - CVE-2026-10925: Out of bounds write in Skia. Reported by Google. - CVE-2026-10926: Use after free in Cast. Reported by Google. - CVE-2026-10927: Out of bounds read in Dawn. Reported by Google. - CVE-2026-10928: Script injection in Headless. Reported by Google. - CVE-2026-10929: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-10930: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10931: Use after free in FileSystem. Reported by asjidkalam. - CVE-2026-10932: Use after free in UI. Reported by Google. - CVE-2026-10933: Use after free in Audio. Reported by Google. - CVE-2026-10934: Use after free in Autofill. Reported by Google. - CVE-2026-10935: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10936: Type Confusion in V8. Reported by Google. - CVE-2026-10937: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-10938: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-10939: Use after free in WebRTC. Reported by Google. - CVE-2026-10940: Race in Codecs. Reported by Google. - CVE-2026-10941: Out of bounds memory access in Skia. Reported by Google. - CVE-2026-10942: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-10943: Use after free in WebRTC. Reported by Rayyan Kadar. - CVE-2026-10944: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10945: Use after free in PDF. Reported by Google. - CVE-2026-10946: Heap buffer overflow in Media. Reported by Google. - CVE-2026-10947: Use after free in WebRTC. Reported by Google. - CVE-2026-10948: Use after free in WebRTC. Reported by Google. - CVE-2026-10949: Heap buffer overflow in Video. Reported by Google. - CVE-2026-10950: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10951: Use after free in Autofill. Reported by Google. - CVE-2026-10952: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10953: Use after free in Core. Reported by Google. - CVE-2026-10954: Use after free in Actor. Reported by Google. - CVE-2026-10955: Type Confusion in ANGLE. Reported by Google. - CVE-2026-10956: Use after free in MimeHandlerView. Reported by Google. - CVE-2026-10957: Use after free in Glic. Reported by Google. - CVE-2026-10958: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10959: Use after free in Input. Reported by Google. - CVE-2026-10960: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-10961: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10962: Type Confusion in Media. Reported by Google. - CVE-2026-10963: Integer overflow in V8. Reported by Google. - CVE-2026-10964: Integer overflow in V8. Reported by Google. - CVE-2026-10965: Integer overflow in DevTools. Reported by Google. - CVE-2026-10966: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10967: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-10968: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10969: Insufficient validation of untrusted input in Extensions Reported by Google. - CVE-2026-10970: Insufficient validation of untrusted input in InterestGroups. Reported by Google. - CVE-2026-10971: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-10972: Use after free in Ozone. Reported by Google. - CVE-2026-10973: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10974: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-10975: Use after free in WebRTC. Reported by Google. - CVE-2026-10976: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10977: Uninitialized Use in Skia. Reported by Google. - CVE-2026-10978: Use after free in Chromoting. Reported by Google. - CVE-2026-10979: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10980: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10981: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10982: Use after free in WebXR. Reported by Google. - CVE-2026-10983: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10984: Inappropriate implementation in Accessibility. Reported by Google. - CVE-2026-10985: Out of bounds read in Skia. Reported by Google. - CVE-2026-10986: Integer overflow in Media. Reported by Google. - CVE-2026-10987: Integer overflow in V8. Reported by Google. - CVE-2026-10988: Use after free in Views. Reported by Google. - CVE-2026-10989: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10990: Use after free in Glic. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10991: Use after free in V8. Reported by Alisa Esage (@alisaesage). - CVE-2026-10992: Insufficient data validation in Animation. Reported by heapracer (@heapracer). - CVE-2026-10993: Heap buffer overflow in Skia. Reported by M. Fauzan Wijaya (Gh05t666nero). - CVE-2026-10994: Uninitialized Use in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10995: Heap buffer overflow in TabStrip. Reported by Sven Dysthe (@svn-dys). - CVE-2026-10996: Inappropriate implementation in Workers. Reported by Jayateertha Guruprasad. - CVE-2026-10997: Insufficient policy enforcement in Extensions. Reported by djallalakira@gmail.com. - CVE-2026-10998: Out of bounds read in Media. Reported by Ameen Basha M K - CVE-2026-10999: Out of bounds memory access in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11000: Use after free in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11001: Incorrect security UI in Payments. Reported by Google. - CVE-2026-11002: Use after free in Autofill. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11003: Use after free in WebRTC. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. - CVE-2026-11004: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11005: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11006: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11007: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-11008: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11009: Use after free in USB. Reported by Google. - CVE-2026-11010: Use after free in WebShare. Reported by David Sievers. - CVE-2026-11011: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11012: Use after free in Serial. Reported by Google. - CVE-2026-11013: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11014: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11015: Out of bounds read in WebGPU. Reported by Yuma Takeuchi. - CVE-2026-11016: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11017: Inappropriate implementation in Link Preview. Reported by Google. - CVE-2026-11018: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11019: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11020: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11021: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11022: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11023: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11024: Stack buffer overflow in Skia. Reported by Google. - CVE-2026-11025: Insufficient policy enforcement in Navigation. Reported by Google. - CVE-2026-11026: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11027: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-11028: Use after free in Media. Reported by Google. - CVE-2026-11029: Insufficient validation of untrusted input in Drag and Drop. Reported by Google. - CVE-2026-11030: Use after free in Network. Reported by Google. - CVE-2026-11031: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11032: Insufficient data validation in Password Manager. Reported by Google. - CVE-2026-11033: Uninitialized Use in WebML. Reported by Google. - CVE-2026-11034: Insufficient validation of untrusted input in Tab Group Sync. Reported by Google. - CVE-2026-11035: Insufficient validation of untrusted input in Custom Tabs. Reported by Google. - CVE-2026-11036: Inappropriate implementation in DOM. Reported by Google - CVE-2026-11037: Out of bounds write in Codecs. Reported by Google. - CVE-2026-11038: Insufficient validation of untrusted input in Subresource Integrity. Reported by Google. - CVE-2026-11039: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11040: Use after free in ANGLE. Reported by Google. - CVE-2026-11041: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11042: Use after free in Views. Reported by Google. - CVE-2026-11043: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-11044: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11045: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11046: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11047: Insufficient validation of untrusted input in Base. Reported by Google. - CVE-2026-11048: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11049: Use after free in Password Manager. Reported by Google. - CVE-2026-11050: Use after free in V8. Reported by Google. - CVE-2026-11051: Out of bounds read in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11052: Type Confusion in GPU. Reported by Google. - CVE-2026-11053: VULNERABILITY in WebRTC. Reported by Google. - CVE-2026-11054: Use after free in WebRTC. Reported by Google. - CVE-2026-11055: Use after free in ANGLE. Reported by Google. - CVE-2026-11056: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-11057: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11058: Integer overflow in CredentialProvider. Reported by Google. - CVE-2026-11059: Use after free in Blink. Reported by Google. - CVE-2026-11060: Use after free in Media. Reported by Google. - CVE-2026-11061: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11062: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11063: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-11064: Uninitialized Use in GPU. Reported by Google. - CVE-2026-11065: Use after free in ANGLE. Reported by Google. - CVE-2026-11066: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11067: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11068: Use after free in WebSockets. Reported by Google. - CVE-2026-11069: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11070: Insufficient validation of untrusted input in Chromoting Reported by Google. - CVE-2026-11071: Use after free in Base. Reported by Google. - CVE-2026-11072: Use after free in WebView. Reported by Google. - CVE-2026-11073: Use after free in WebGL. Reported by Google. - CVE-2026-11074: Use after free in WebRTC. Reported by boboliverfrancishoward@gmail.com. - CVE-2026-11075: Out of bounds read in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-11076: Type Confusion in CSS. Reported by Google. - CVE-2026-11077: Out of bounds read in Dawn. Reported by Anonymous. - CVE-2026-11078: Insufficient validation of untrusted input in FileSystem. Reported by Eran Rom of Palo Alto Networks. - CVE-2026-11079: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11080: Use after free in WebView. Reported by Google. - CVE-2026-11081: Policy bypass in Canvas. Reported by Google. - CVE-2026-11082: Use after free in GPU. Reported by Google. - CVE-2026-11083: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11084: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11085: Integer overflow in GPU. Reported by Google. - CVE-2026-11086: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11087: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11088: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11089: Uninitialized Use in Media. Reported by Google. - CVE-2026-11090: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11091: Inappropriate implementation in Dawn. Reported by Google - CVE-2026-11092: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11093: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-11094: Use after free in Codecs. Reported by Google. - CVE-2026-11095: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11096: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11097: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11098: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11099: Vulnerability in Skia. Reported by Google. - CVE-2026-11100: Use after free in File Input. Reported by Google. - CVE-2026-11101: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11102: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-11103: Inappropriate implementation in Installer. Reported by Google. - CVE-2026-11104: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11105: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-11106: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11107: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-11108: Inappropriate implementation in NFC. Reported by Google - CVE-2026-11109: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11110: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11111: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11112: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11113: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11114: Use after free in Device Trust. Reported by Google. - CVE-2026-11115: Use after free in Updater. Reported by Google. - CVE-2026-11116: Use after free in Chromoting. Reported by Google. - CVE-2026-11117: Use after free in Views. Reported by Google. - CVE-2026-11118: Use after free in WebRTC. Reported by Google. - CVE-2026-11119: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11120: Insufficient validation of untrusted input in Enterprise Reporting. Reported by Google. - CVE-2026-11121: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11122: Inappropriate implementation in Keyboard. Reported by Google. - CVE-2026-11123: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11124: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-11125: Use after free in Compositing. Reported by Google. - CVE-2026-11126: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11127: Inappropriate implementation in WebAPKs. Reported by Google. - CVE-2026-11128: Insufficient validation of untrusted input in Web Share. Reported by Google. - CVE-2026-11129: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11130: Use after free in Media. Reported by Google. - CVE-2026-11131: Use after free in Autofill. Reported by Google. - CVE-2026-11132: Policy bypass in Paint. Reported by Google. - CVE-2026-11133: Insufficient policy enforcement in Paint. Reported by Google. - CVE-2026-11134: Insufficient data validation in Media. Reported by Google. - CVE-2026-11135: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-11136: Use after free in Canvas. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-11137: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11138: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11139: Policy bypass in Paint. Reported by Google. - CVE-2026-11140: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-11141: Uninitialized Use in Audio. Reported by Google. - CVE-2026-11142: Policy bypass in Paint. Reported by Google. - CVE-2026-11143: Heap buffer overflow in Extensions. Reported by Google. - CVE-2026-11144: Use after free in Media. Reported by Google. - CVE-2026-11145: Race in Geolocation. Reported by Google. - CVE-2026-11146: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11147: Use after free in WebML. Reported by Google. - CVE-2026-11148: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11149: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11150: Inappropriate implementation in XML. Reported by Google - CVE-2026-11151: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11152: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-11153: Side-channel information leakage in Forms. Reported by Google. - CVE-2026-11154: Use after free in Dawn. Reported by Google. - CVE-2026-11155: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11156: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11157: Script injection in Accessibility. Reported by Google. - CVE-2026-11158: Insufficient validation of untrusted input in Downloads. Reported by Google. - CVE-2026-11159: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11160: Out of bounds read in Input. Reported by Google. - CVE-2026-11161: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-11162: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11163: Use after free in Messages. Reported by Google. - CVE-2026-11164: Use after free in Blink. Reported by Google. - CVE-2026-11165: Use after free in WebMIDI. Reported by Google. - CVE-2026-11166: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11167: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11168: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11169: Inappropriate implementation in XML. Reported by Google - CVE-2026-11170: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-11171: Integer overflow in Blink. Reported by Google. - CVE-2026-11172: Incorrect security UI in Contact Picker. Reported by mochazril.ti@gmail.com. - CVE-2026-11173: Out of bounds write in V8. Reported by Google. - CVE-2026-11174: Insufficient policy enforcement in Site Isolation. Reported by Google. - CVE-2026-11175: Incorrect security UI in Messages. Reported by Google. - CVE-2026-11176: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11177: Use after free in Omnibox. Reported by gevakun. - CVE-2026-11178: Policy bypass in WebView. Reported by Google. - CVE-2026-11179: Inappropriate implementation in ORB. Reported by Google - CVE-2026-11180: Policy bypass in SVG. Reported by Google. - CVE-2026-11181: Inappropriate implementation in Media Session. Reported by Google. - CVE-2026-11182: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11183: Out of bounds read in GWP-ASan. Reported by Google. - CVE-2026-11184: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11185: Use after free in V8. Reported by Google. - CVE-2026-11186: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11187: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-11188: Use after free in USB. Reported by Google. - CVE-2026-11189: Insufficient validation of untrusted input in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-11190: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11191: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-11192: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11193: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11194: Inappropriate implementation in Network. Reported by Google. - CVE-2026-11195: Inappropriate implementation in MHTML. Reported by Google. - CVE-2026-11196: Type Confusion in XML. Reported by Google. - CVE-2026-11197: Insufficient policy enforcement in Workers. Reported by VEZEKA. - CVE-2026-11198: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11199: Insufficient validation of untrusted input in WebRTC. Reported by Google. - CVE-2026-11200: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-11201: Use after free in ServiceWorker. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11202: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11203: Policy bypass in GPU. Reported by Google. - CVE-2026-11204: Inappropriate implementation in Signin. Reported by Google. - CVE-2026-11205: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11206: Policy bypass in ServiceWorker. Reported by David Bors, Catalin Iovita. - CVE-2026-11207: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-11208: Use after free in Codecs. Reported by Google. - CVE-2026-11209: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-11210: Insufficient policy enforcement in Safe Browsing. Reported by Google. - CVE-2026-11211: Integer overflow in V8. Reported by Google. - CVE-2026-11212: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11213: Insufficient validation of untrusted input in Reading Mode. Reported by Google. - CVE-2026-11214: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-11215: Inappropriate implementation in Cronet. Reported by Google. - CVE-2026-11216: Incorrect security UI in File Input. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-11217: Insufficient policy enforcement in Fenced Frames. Reported by Tianyi Hu. - CVE-2026-11218: Inappropriate implementation in PlatformIntegration. Reported by Han Liu (Xi’an Jiaotong University, School of Cyber Science and Engineering). - CVE-2026-11219: Insufficient data validation in Navigation. Reported by Bharat (mrnoob) . - CVE-2026-11220: Insufficient validation of untrusted input in Navigation. Reported by Tianyi Hu. - CVE-2026-11221: Insufficient validation of untrusted input in PointerLock. Reported by mihalis.haatainen@bountyy.fi. - CVE-2026-11222: Incorrect security UI in Tab Strip. Reported by Hafiizh - CVE-2026-11223: Insufficient validation of untrusted input in Network. Reported by Tianyi Hu. - CVE-2026-11224: Use after free in Chromoting. Reported by David Bors, Catalin Iovita. - CVE-2026-11225: Incorrect security UI in WebUI. Reported by Tareq Ahamed - itztrq. - CVE-2026-11226: Insufficient policy enforcement in PreviewTab. Reported by Google. - CVE-2026-11227: Incorrect security UI in Tab Hover Cards. Reported by Hafiizh. - CVE-2026-11228: Incorrect security UI in File Input. Reported by Umar Farooq . - CVE-2026-11229: Insufficient policy enforcement in Enterprise. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-11230: Use after free in Extensions. Reported by Google. - CVE-2026-11231: Inappropriate implementation in Safe Browsing. Reported by Google. - CVE-2026-11232: Inappropriate implementation in TabGroups. Reported by Google. - CVE-2026-11233: Insufficient validation of untrusted input in FoldableAPIs. Reported by Google. - CVE-2026-11234: Insufficient policy enforcement in FoldableAPIs. Reported by Google. - CVE-2026-11235: Insufficient validation of untrusted input in Compositing. Reported by Google. - CVE-2026-11236: Insufficient policy enforcement in Web Bluetooth. Reported by Google. - CVE-2026-11237: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11238: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11239: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11240: Insufficient validation of untrusted input in Loader. Reported by Google. - CVE-2026-11241: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11242: Insufficient validation of untrusted input in Plugins. Reported by Google. - CVE-2026-11243: Incorrect security UI in Downloads. Reported by Google. - CVE-2026-11244: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-11245: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11246: Insufficient validation of untrusted input in IndexedDB. Reported by Google. - CVE-2026-11247: Insufficient policy enforcement in CustomTabs. Reported by Google. - CVE-2026-11248: Policy bypass in Google Lens. Reported by Google. - CVE-2026-11249: Use after free in Network. Reported by Google. - CVE-2026-11250: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11251: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11252: Policy bypass in Content Settings. Reported by Google. - CVE-2026-11253: Race in Permissions. Reported by Google. - CVE-2026-11254: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11255: Insufficient validation of untrusted input in Storage Access API. Reported by Google. - CVE-2026-11256: Out of bounds read in GPU. Reported by Google. - CVE-2026-11257: Inappropriate implementation in Browser. Reported by Google. - CVE-2026-11258: Inappropriate implementation in File System Access. Reported by Google. - CVE-2026-11259: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11260: Policy bypass in Permissions. Reported by Google. - CVE-2026-11261: Insufficient validation of untrusted input in PDF. Reported by Google. - CVE-2026-11262: Use after free in TabStrip. Reported by Google. - CVE-2026-11263: Insufficient policy enforcement in WebAuthentication. Reported by Google. - CVE-2026-11264: Policy bypass in Content Security Policy. Reported by Google. - CVE-2026-11265: Insufficient data validation in Autofill. Reported by Google. - CVE-2026-11266: Policy bypass in SafeBrowsing. Reported by Google. - CVE-2026-11267: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11268: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11269: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11270: Inappropriate implementation in UI. Reported by Google. - CVE-2026-11271: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-11272: Insufficient validation of untrusted input in Reading List. Reported by Google. - CVE-2026-11273: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-11274: Inappropriate implementation in DOM Distiller. Reported by Google. - CVE-2026-11275: Insufficient policy enforcement in Page Info. Reported by Google. - CVE-2026-11276: Inappropriate implementation in Cast. Reported by Google - CVE-2026-11277: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11278: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-11279: Out of bounds read in DevTools. Reported by Google. - CVE-2026-11280: Insufficient validation of untrusted input in Signin. Reported by Google. - CVE-2026-11281: Integer overflow in Chromoting. Reported by Google. - CVE-2026-11282: Policy bypass in Sandbox. Reported by Google. - CVE-2026-11283: Policy bypass in Shortcuts. Reported by Google. - CVE-2026-11284: Side-channel information leakage in PerformanceAPIs. Reported by Google. - CVE-2026-11285: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11286: Insufficient validation of untrusted input in Wallet. Reported by Google. - CVE-2026-11287: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-11288: Policy bypass in CSS. Reported by Google. - CVE-2026-11289: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-11290: Integer overflow in WebView. Reported by Google. - CVE-2026-11291: Policy bypass in Android Autofill. Reported by Google. - CVE-2026-11292: Policy bypass in Blink. Reported by Google. - CVE-2026-11293: Use after free in Input. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11294: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11295: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11296: Inappropriate implementation in ImageCapture. Reported by Google. - CVE-2026-11297: Insufficient validation of untrusted input in Reader Mode. Reported by Google. - CVE-2026-11298: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11299: Out of bounds read in Fonts. Reported by sharadboni@gmail.com. - CVE-2026-11300: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11301: Out of bounds read in LiveCaption. Reported by Google. - CVE-2026-11302: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11303: Use after free in PDFium. Reported by Google. - CVE-2026-11304: Use after free in PDFium. Reported by Google. - CVE-2026-11305: Use after free in PDFium. Reported by Google. - CVE-2026-11306: Use after free in PDFium. Reported by Google. - CVE-2026-11307: Use after free in PDFium. Reported by Google. - CVE-2026-11308: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11309: Insufficient policy enforcement in History. Reported by Google. * d/patches: - upstream/turboshaft.patch: drop, merged upstream. - fixes/enable-widevine-on-arm64-linux-platform.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/armhf-icf.patch: refresh. - disable/catapult.patch: refresh. - llvm-19/clang19.patch: add more bits to drop unsupported warning and diagnostic flags. - trixie/gn-inputs.patch: drop portion of patch due to upstream changes. - trixie/gn-inputs2.patch: refresh. - bookworm/bindgen.patch: drop due to upgraded bindgen [sid, trixie]. - bookworm/gn-allowlist.patch: drop due to upgraded generate-ninja [sid, trixie]. - llvm-22/ignore-for-ubsan.patch: update for upstream reworking. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/disable-privacy-sandbox.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - trixie/gn-expand-dir-allowlist.patch: add new patch to work around older generate-ninja. - fixes/libcpp-headers.patch: update for upstream changes reworking how this was done. - disable/libei.patch: add patch to fix build failure due to libei removal. - llvm-19/value-or.patch: add another clang-19 build workaround. - llvm-19/const-profile.patch: add patch to work around const-related clang-19 build failure. - rust-1.85/file_as_c_str.patch: rework patch due to upstream changes [trixie, bookworm]. - rust-1.85/zip8.patch: refresh [trixie, bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. * d/copyright: properly delete harfbuzz (due to harfbuzz-ng rename). . [ Daniel Richard G. ] * d/patches: - bookworm/bindgen.patch: Refresh [bookworm]. - bookworm/gn-absl.patch: Update absl_source_set("no_destructor") with visibility directive, and refresh [bookworm]. - rust-1.85/mojo-features.patch: Add feature to new Rust source file [trixie, bookworm]. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch: refresh for upstream changes - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - third_party/0005-blink-add-audio-vector-support.patch: refresh for upstream changes - libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: regenerate - third_party/0003-third_party-libvpx-Add-ppc64-generated-config.patch: regenerate - third_party/0001-third_party-libvpx-Disable-vsx-on-ppc64.patch: ensure VSX is disabled until VP9 artifacting can be fixed upstream . [ Jianfeng Liu ] * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: This is a patch aleady merged to v150 to fix build on loongarch64. - loongarch64/0024-fix-libyuv-lsx.patch: Upstream has bumped the version of libyuv and it has broken build with lsx enabled on loongarch64. Add a patch to fix the build first. chromium (149.0.7827.53-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-10881: Out of bounds read and write in ANGLE. Reported by Anonymous. - CVE-2026-10882: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10883: Out of bounds write in ANGLE. Reported by Maher Azzouzi. - CVE-2026-10884: Use after free in Chromecast. Reported by Google. - CVE-2026-10885: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10886: Use after free in FileSystem. Reported by Andrew Boni. - CVE-2026-10887: Use after free in Chromoting. Reported by Google. - CVE-2026-10888: Use after free in Cast Streaming. Reported by Google. - CVE-2026-10889: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10890: Use after free in Cast. Reported by Google. - CVE-2026-10891: Use after free in GFX. Reported by Google. - CVE-2026-10892: Out of bounds write in GPU. Reported by Google. - CVE-2026-10893: Use after free in Chromoting. Reported by Google. - CVE-2026-10894: Use after free in Printing. Reported by Google. - CVE-2026-10895: Use after free in Ozone. Reported by Google. - CVE-2026-10896: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10897: Out of bounds write in GPU. Reported by Google. - CVE-2026-10898: Stack buffer overflow in GPU. Reported by Google. - CVE-2026-10899: Use after free in Ozone. Reported by Google. - CVE-2026-10900: Use after free in Passwords. Reported by Google. - CVE-2026-10901: Use after free in Passwords. Reported by Google. - CVE-2026-10902: Use after free in Ozone. Reported by Google. - CVE-2026-10903: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10904: Inappropriate implementation in V8. Reported by 303f06e3 - CVE-2026-10905: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10906: Use after free in WebAuthentication. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10907: Out of bounds write in ANGLE. Reported by sweetchip. - CVE-2026-10908: Use after free in FullScreen. Reported by Mihnea Nicolau - CVE-2026-10909: Use after free in Dawn. Reported by whiter@xuanyusec. - CVE-2026-10910: Type Confusion in V8. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10911: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10912: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-10913: Use after free in ANGLE. Reported by Google. - CVE-2026-10914: Use after free in ANGLE. Reported by Google. - CVE-2026-10915: Use after free in Core. Reported by Google. - CVE-2026-10916: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10917: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-10918: Use after free in Viz. Reported by Google. - CVE-2026-10919: Use after free in ANGLE. Reported by Google. - CVE-2026-10920: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-10921: Integer overflow in Dawn. Reported by Google. - CVE-2026-10922: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10923: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10924: Integer overflow in Chromecast. Reported by Google. - CVE-2026-10925: Out of bounds write in Skia. Reported by Google. - CVE-2026-10926: Use after free in Cast. Reported by Google. - CVE-2026-10927: Out of bounds read in Dawn. Reported by Google. - CVE-2026-10928: Script injection in Headless. Reported by Google. - CVE-2026-10929: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-10930: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10931: Use after free in FileSystem. Reported by asjidkalam. - CVE-2026-10932: Use after free in UI. Reported by Google. - CVE-2026-10933: Use after free in Audio. Reported by Google. - CVE-2026-10934: Use after free in Autofill. Reported by Google. - CVE-2026-10935: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10936: Type Confusion in V8. Reported by Google. - CVE-2026-10937: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-10938: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-10939: Use after free in WebRTC. Reported by Google. - CVE-2026-10940: Race in Codecs. Reported by Google. - CVE-2026-10941: Out of bounds memory access in Skia. Reported by Google. - CVE-2026-10942: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-10943: Use after free in WebRTC. Reported by Rayyan Kadar. - CVE-2026-10944: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10945: Use after free in PDF. Reported by Google. - CVE-2026-10946: Heap buffer overflow in Media. Reported by Google. - CVE-2026-10947: Use after free in WebRTC. Reported by Google. - CVE-2026-10948: Use after free in WebRTC. Reported by Google. - CVE-2026-10949: Heap buffer overflow in Video. Reported by Google. - CVE-2026-10950: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-10951: Use after free in Autofill. Reported by Google. - CVE-2026-10952: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10953: Use after free in Core. Reported by Google. - CVE-2026-10954: Use after free in Actor. Reported by Google. - CVE-2026-10955: Type Confusion in ANGLE. Reported by Google. - CVE-2026-10956: Use after free in MimeHandlerView. Reported by Google. - CVE-2026-10957: Use after free in Glic. Reported by Google. - CVE-2026-10958: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10959: Use after free in Input. Reported by Google. - CVE-2026-10960: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-10961: Use after free in Chrome for iOS. Reported by Google. - CVE-2026-10962: Type Confusion in Media. Reported by Google. - CVE-2026-10963: Integer overflow in V8. Reported by Google. - CVE-2026-10964: Integer overflow in V8. Reported by Google. - CVE-2026-10965: Integer overflow in DevTools. Reported by Google. - CVE-2026-10966: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10967: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-10968: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10969: Insufficient validation of untrusted input in Extensions Reported by Google. - CVE-2026-10970: Insufficient validation of untrusted input in InterestGroups. Reported by Google. - CVE-2026-10971: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-10972: Use after free in Ozone. Reported by Google. - CVE-2026-10973: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10974: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-10975: Use after free in WebRTC. Reported by Google. - CVE-2026-10976: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-10977: Uninitialized Use in Skia. Reported by Google. - CVE-2026-10978: Use after free in Chromoting. Reported by Google. - CVE-2026-10979: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-10980: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-10981: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-10982: Use after free in WebXR. Reported by Google. - CVE-2026-10983: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-10984: Inappropriate implementation in Accessibility. Reported by Google. - CVE-2026-10985: Out of bounds read in Skia. Reported by Google. - CVE-2026-10986: Integer overflow in Media. Reported by Google. - CVE-2026-10987: Integer overflow in V8. Reported by Google. - CVE-2026-10988: Use after free in Views. Reported by Google. - CVE-2026-10989: Inappropriate implementation in V8. Reported by Google. - CVE-2026-10990: Use after free in Glic. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-10991: Use after free in V8. Reported by Alisa Esage (@alisaesage). - CVE-2026-10992: Insufficient data validation in Animation. Reported by heapracer (@heapracer). - CVE-2026-10993: Heap buffer overflow in Skia. Reported by M. Fauzan Wijaya (Gh05t666nero). - CVE-2026-10994: Uninitialized Use in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10995: Heap buffer overflow in TabStrip. Reported by Sven Dysthe (@svn-dys). - CVE-2026-10996: Inappropriate implementation in Workers. Reported by Jayateertha Guruprasad. - CVE-2026-10997: Insufficient policy enforcement in Extensions. Reported by djallalakira@gmail.com. - CVE-2026-10998: Out of bounds read in Media. Reported by Ameen Basha M K - CVE-2026-10999: Out of bounds memory access in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11000: Use after free in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11001: Incorrect security UI in Payments. Reported by Google. - CVE-2026-11002: Use after free in Autofill. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11003: Use after free in WebRTC. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. - CVE-2026-11004: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11005: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-11006: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11007: Insufficient validation of untrusted input in WebView. Reported by Google. - CVE-2026-11008: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11009: Use after free in USB. Reported by Google. - CVE-2026-11010: Use after free in WebShare. Reported by David Sievers. - CVE-2026-11011: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11012: Use after free in Serial. Reported by Google. - CVE-2026-11013: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11014: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11015: Out of bounds read in WebGPU. Reported by Yuma Takeuchi. - CVE-2026-11016: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-11017: Inappropriate implementation in Link Preview. Reported by Google. - CVE-2026-11018: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11019: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11020: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11021: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11022: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11023: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-11024: Stack buffer overflow in Skia. Reported by Google. - CVE-2026-11025: Insufficient policy enforcement in Navigation. Reported by Google. - CVE-2026-11026: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11027: Insufficient validation of untrusted input in Glic. Reported by Google. - CVE-2026-11028: Use after free in Media. Reported by Google. - CVE-2026-11029: Insufficient validation of untrusted input in Drag and Drop. Reported by Google. - CVE-2026-11030: Use after free in Network. Reported by Google. - CVE-2026-11031: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11032: Insufficient data validation in Password Manager. Reported by Google. - CVE-2026-11033: Uninitialized Use in WebML. Reported by Google. - CVE-2026-11034: Insufficient validation of untrusted input in Tab Group Sync. Reported by Google. - CVE-2026-11035: Insufficient validation of untrusted input in Custom Tabs. Reported by Google. - CVE-2026-11036: Inappropriate implementation in DOM. Reported by Google - CVE-2026-11037: Out of bounds write in Codecs. Reported by Google. - CVE-2026-11038: Insufficient validation of untrusted input in Subresource Integrity. Reported by Google. - CVE-2026-11039: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11040: Use after free in ANGLE. Reported by Google. - CVE-2026-11041: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11042: Use after free in Views. Reported by Google. - CVE-2026-11043: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-11044: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11045: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11046: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11047: Insufficient validation of untrusted input in Base. Reported by Google. - CVE-2026-11048: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11049: Use after free in Password Manager. Reported by Google. - CVE-2026-11050: Use after free in V8. Reported by Google. - CVE-2026-11051: Out of bounds read in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-11052: Type Confusion in GPU. Reported by Google. - CVE-2026-11053: VULNERABILITY in WebRTC. Reported by Google. - CVE-2026-11054: Use after free in WebRTC. Reported by Google. - CVE-2026-11055: Use after free in ANGLE. Reported by Google. - CVE-2026-11056: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-11057: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11058: Integer overflow in CredentialProvider. Reported by Google. - CVE-2026-11059: Use after free in Blink. Reported by Google. - CVE-2026-11060: Use after free in Media. Reported by Google. - CVE-2026-11061: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11062: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11063: Insufficient validation of untrusted input in WebNN. Reported by Google. - CVE-2026-11064: Uninitialized Use in GPU. Reported by Google. - CVE-2026-11065: Use after free in ANGLE. Reported by Google. - CVE-2026-11066: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11067: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11068: Use after free in WebSockets. Reported by Google. - CVE-2026-11069: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11070: Insufficient validation of untrusted input in Chromoting Reported by Google. - CVE-2026-11071: Use after free in Base. Reported by Google. - CVE-2026-11072: Use after free in WebView. Reported by Google. - CVE-2026-11073: Use after free in WebGL. Reported by Google. - CVE-2026-11074: Use after free in WebRTC. Reported by boboliverfrancishoward@gmail.com. - CVE-2026-11075: Out of bounds read in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-11076: Type Confusion in CSS. Reported by Google. - CVE-2026-11077: Out of bounds read in Dawn. Reported by Anonymous. - CVE-2026-11078: Insufficient validation of untrusted input in FileSystem. Reported by Eran Rom of Palo Alto Networks. - CVE-2026-11079: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11080: Use after free in WebView. Reported by Google. - CVE-2026-11081: Policy bypass in Canvas. Reported by Google. - CVE-2026-11082: Use after free in GPU. Reported by Google. - CVE-2026-11083: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11084: Inappropriate implementation in Password Manager. Reported by Google. - CVE-2026-11085: Integer overflow in GPU. Reported by Google. - CVE-2026-11086: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11087: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11088: Integer overflow in ANGLE. Reported by Google. - CVE-2026-11089: Uninitialized Use in Media. Reported by Google. - CVE-2026-11090: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11091: Inappropriate implementation in Dawn. Reported by Google - CVE-2026-11092: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11093: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-11094: Use after free in Codecs. Reported by Google. - CVE-2026-11095: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11096: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11097: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11098: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11099: Vulnerability in Skia. Reported by Google. - CVE-2026-11100: Use after free in File Input. Reported by Google. - CVE-2026-11101: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-11102: Inappropriate implementation in Isolated Web Apps. Reported by Google. - CVE-2026-11103: Inappropriate implementation in Installer. Reported by Google. - CVE-2026-11104: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11105: Insufficient validation of untrusted input in WebUI. Reported by Google. - CVE-2026-11106: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11107: Inappropriate implementation in Downloads. Reported by Google. - CVE-2026-11108: Inappropriate implementation in NFC. Reported by Google - CVE-2026-11109: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11110: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11111: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-11112: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11113: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-11114: Use after free in Device Trust. Reported by Google. - CVE-2026-11115: Use after free in Updater. Reported by Google. - CVE-2026-11116: Use after free in Chromoting. Reported by Google. - CVE-2026-11117: Use after free in Views. Reported by Google. - CVE-2026-11118: Use after free in WebRTC. Reported by Google. - CVE-2026-11119: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-11120: Insufficient validation of untrusted input in Enterprise Reporting. Reported by Google. - CVE-2026-11121: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11122: Inappropriate implementation in Keyboard. Reported by Google. - CVE-2026-11123: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11124: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-11125: Use after free in Compositing. Reported by Google. - CVE-2026-11126: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-11127: Inappropriate implementation in WebAPKs. Reported by Google. - CVE-2026-11128: Insufficient validation of untrusted input in Web Share. Reported by Google. - CVE-2026-11129: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11130: Use after free in Media. Reported by Google. - CVE-2026-11131: Use after free in Autofill. Reported by Google. - CVE-2026-11132: Policy bypass in Paint. Reported by Google. - CVE-2026-11133: Insufficient policy enforcement in Paint. Reported by Google. - CVE-2026-11134: Insufficient data validation in Media. Reported by Google. - CVE-2026-11135: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-11136: Use after free in Canvas. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-11137: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11138: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11139: Policy bypass in Paint. Reported by Google. - CVE-2026-11140: Insufficient validation of untrusted input in Chromecast. Reported by Google. - CVE-2026-11141: Uninitialized Use in Audio. Reported by Google. - CVE-2026-11142: Policy bypass in Paint. Reported by Google. - CVE-2026-11143: Heap buffer overflow in Extensions. Reported by Google. - CVE-2026-11144: Use after free in Media. Reported by Google. - CVE-2026-11145: Race in Geolocation. Reported by Google. - CVE-2026-11146: Insufficient validation of untrusted input in Chromoting. Reported by Google. - CVE-2026-11147: Use after free in WebML. Reported by Google. - CVE-2026-11148: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11149: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11150: Inappropriate implementation in XML. Reported by Google - CVE-2026-11151: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11152: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-11153: Side-channel information leakage in Forms. Reported by Google. - CVE-2026-11154: Use after free in Dawn. Reported by Google. - CVE-2026-11155: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11156: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11157: Script injection in Accessibility. Reported by Google. - CVE-2026-11158: Insufficient validation of untrusted input in Downloads. Reported by Google. - CVE-2026-11159: Uninitialized Use in Skia. Reported by Google. - CVE-2026-11160: Out of bounds read in Input. Reported by Google. - CVE-2026-11161: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-11162: Insufficient policy enforcement in CSS. Reported by Google. - CVE-2026-11163: Use after free in Messages. Reported by Google. - CVE-2026-11164: Use after free in Blink. Reported by Google. - CVE-2026-11165: Use after free in WebMIDI. Reported by Google. - CVE-2026-11166: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11167: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11168: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11169: Inappropriate implementation in XML. Reported by Google - CVE-2026-11170: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-11171: Integer overflow in Blink. Reported by Google. - CVE-2026-11172: Incorrect security UI in Contact Picker. Reported by mochazril.ti@gmail.com. - CVE-2026-11173: Out of bounds write in V8. Reported by Google. - CVE-2026-11174: Insufficient policy enforcement in Site Isolation. Reported by Google. - CVE-2026-11175: Incorrect security UI in Messages. Reported by Google. - CVE-2026-11176: Inappropriate implementation in Media. Reported by Google. - CVE-2026-11177: Use after free in Omnibox. Reported by gevakun. - CVE-2026-11178: Policy bypass in WebView. Reported by Google. - CVE-2026-11179: Inappropriate implementation in ORB. Reported by Google - CVE-2026-11180: Policy bypass in SVG. Reported by Google. - CVE-2026-11181: Inappropriate implementation in Media Session. Reported by Google. - CVE-2026-11182: Inappropriate implementation in SVG. Reported by Google - CVE-2026-11183: Out of bounds read in GWP-ASan. Reported by Google. - CVE-2026-11184: Insufficient policy enforcement in Actor. Reported by Google. - CVE-2026-11185: Use after free in V8. Reported by Google. - CVE-2026-11186: Inappropriate implementation in CSS. Reported by Google - CVE-2026-11187: Insufficient policy enforcement in Glic. Reported by Google. - CVE-2026-11188: Use after free in USB. Reported by Google. - CVE-2026-11189: Insufficient validation of untrusted input in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-11190: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11191: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-11192: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11193: Insufficient policy enforcement in Password Manager. Reported by Google. - CVE-2026-11194: Inappropriate implementation in Network. Reported by Google. - CVE-2026-11195: Inappropriate implementation in MHTML. Reported by Google. - CVE-2026-11196: Type Confusion in XML. Reported by Google. - CVE-2026-11197: Insufficient policy enforcement in Workers. Reported by VEZEKA. - CVE-2026-11198: Insufficient validation of untrusted input in Codecs. Reported by Google. - CVE-2026-11199: Insufficient validation of untrusted input in WebRTC. Reported by Google. - CVE-2026-11200: Inappropriate implementation in WebRTC. Reported by Google. - CVE-2026-11201: Use after free in ServiceWorker. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11202: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11203: Policy bypass in GPU. Reported by Google. - CVE-2026-11204: Inappropriate implementation in Signin. Reported by Google. - CVE-2026-11205: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google. - CVE-2026-11206: Policy bypass in ServiceWorker. Reported by David Bors, Catalin Iovita. - CVE-2026-11207: Insufficient validation of untrusted input in Autofill. Reported by Google. - CVE-2026-11208: Use after free in Codecs. Reported by Google. - CVE-2026-11209: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-11210: Insufficient policy enforcement in Safe Browsing. Reported by Google. - CVE-2026-11211: Integer overflow in V8. Reported by Google. - CVE-2026-11212: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-11213: Insufficient validation of untrusted input in Reading Mode. Reported by Google. - CVE-2026-11214: Inappropriate implementation in Chrome for iOS. Reported by Google. - CVE-2026-11215: Inappropriate implementation in Cronet. Reported by Google. - CVE-2026-11216: Incorrect security UI in File Input. Reported by Azza Tegar Naufal Ataullah. - CVE-2026-11217: Insufficient policy enforcement in Fenced Frames. Reported by Tianyi Hu. - CVE-2026-11218: Inappropriate implementation in PlatformIntegration. Reported by Han Liu (Xi’an Jiaotong University, School of Cyber Science and Engineering). - CVE-2026-11219: Insufficient data validation in Navigation. Reported by Bharat (mrnoob) . - CVE-2026-11220: Insufficient validation of untrusted input in Navigation. Reported by Tianyi Hu. - CVE-2026-11221: Insufficient validation of untrusted input in PointerLock. Reported by mihalis.haatainen@bountyy.fi. - CVE-2026-11222: Incorrect security UI in Tab Strip. Reported by Hafiizh - CVE-2026-11223: Insufficient validation of untrusted input in Network. Reported by Tianyi Hu. - CVE-2026-11224: Use after free in Chromoting. Reported by David Bors, Catalin Iovita. - CVE-2026-11225: Incorrect security UI in WebUI. Reported by Tareq Ahamed - itztrq. - CVE-2026-11226: Insufficient policy enforcement in PreviewTab. Reported by Google. - CVE-2026-11227: Incorrect security UI in Tab Hover Cards. Reported by Hafiizh. - CVE-2026-11228: Incorrect security UI in File Input. Reported by Umar Farooq . - CVE-2026-11229: Insufficient policy enforcement in Enterprise. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-11230: Use after free in Extensions. Reported by Google. - CVE-2026-11231: Inappropriate implementation in Safe Browsing. Reported by Google. - CVE-2026-11232: Inappropriate implementation in TabGroups. Reported by Google. - CVE-2026-11233: Insufficient validation of untrusted input in FoldableAPIs. Reported by Google. - CVE-2026-11234: Insufficient policy enforcement in FoldableAPIs. Reported by Google. - CVE-2026-11235: Insufficient validation of untrusted input in Compositing. Reported by Google. - CVE-2026-11236: Insufficient policy enforcement in Web Bluetooth. Reported by Google. - CVE-2026-11237: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-11238: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11239: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11240: Insufficient validation of untrusted input in Loader. Reported by Google. - CVE-2026-11241: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11242: Insufficient validation of untrusted input in Plugins. Reported by Google. - CVE-2026-11243: Incorrect security UI in Downloads. Reported by Google. - CVE-2026-11244: Insufficient validation of untrusted input in WebAuthentication. Reported by Google. - CVE-2026-11245: Inappropriate implementation in Payments. Reported by Google. - CVE-2026-11246: Insufficient validation of untrusted input in IndexedDB. Reported by Google. - CVE-2026-11247: Insufficient policy enforcement in CustomTabs. Reported by Google. - CVE-2026-11248: Policy bypass in Google Lens. Reported by Google. - CVE-2026-11249: Use after free in Network. Reported by Google. - CVE-2026-11250: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-11251: Insufficient validation of untrusted input in Password Manager. Reported by Google. - CVE-2026-11252: Policy bypass in Content Settings. Reported by Google. - CVE-2026-11253: Race in Permissions. Reported by Google. - CVE-2026-11254: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11255: Insufficient validation of untrusted input in Storage Access API. Reported by Google. - CVE-2026-11256: Out of bounds read in GPU. Reported by Google. - CVE-2026-11257: Inappropriate implementation in Browser. Reported by Google. - CVE-2026-11258: Inappropriate implementation in File System Access. Reported by Google. - CVE-2026-11259: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-11260: Policy bypass in Permissions. Reported by Google. - CVE-2026-11261: Insufficient validation of untrusted input in PDF. Reported by Google. - CVE-2026-11262: Use after free in TabStrip. Reported by Google. - CVE-2026-11263: Insufficient policy enforcement in WebAuthentication. Reported by Google. - CVE-2026-11264: Policy bypass in Content Security Policy. Reported by Google. - CVE-2026-11265: Insufficient data validation in Autofill. Reported by Google. - CVE-2026-11266: Policy bypass in SafeBrowsing. Reported by Google. - CVE-2026-11267: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-11268: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-11269: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11270: Inappropriate implementation in UI. Reported by Google. - CVE-2026-11271: Incorrect security UI in Passwords. Reported by Google. - CVE-2026-11272: Insufficient validation of untrusted input in Reading List. Reported by Google. - CVE-2026-11273: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-11274: Inappropriate implementation in DOM Distiller. Reported by Google. - CVE-2026-11275: Insufficient policy enforcement in Page Info. Reported by Google. - CVE-2026-11276: Inappropriate implementation in Cast. Reported by Google - CVE-2026-11277: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11278: Inappropriate implementation in CustomTabs. Reported by Google. - CVE-2026-11279: Out of bounds read in DevTools. Reported by Google. - CVE-2026-11280: Insufficient validation of untrusted input in Signin. Reported by Google. - CVE-2026-11281: Integer overflow in Chromoting. Reported by Google. - CVE-2026-11282: Policy bypass in Sandbox. Reported by Google. - CVE-2026-11283: Policy bypass in Shortcuts. Reported by Google. - CVE-2026-11284: Side-channel information leakage in PerformanceAPIs. Reported by Google. - CVE-2026-11285: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11286: Insufficient validation of untrusted input in Wallet. Reported by Google. - CVE-2026-11287: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-11288: Policy bypass in CSS. Reported by Google. - CVE-2026-11289: Side-channel information leakage in Paint. Reported by Google. - CVE-2026-11290: Integer overflow in WebView. Reported by Google. - CVE-2026-11291: Policy bypass in Android Autofill. Reported by Google. - CVE-2026-11292: Policy bypass in Blink. Reported by Google. - CVE-2026-11293: Use after free in Input. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2026-11294: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11295: Inappropriate implementation in WebView. Reported by Google. - CVE-2026-11296: Inappropriate implementation in ImageCapture. Reported by Google. - CVE-2026-11297: Insufficient validation of untrusted input in Reader Mode. Reported by Google. - CVE-2026-11298: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11299: Out of bounds read in Fonts. Reported by sharadboni@gmail.com. - CVE-2026-11300: Inappropriate implementation in Permissions. Reported by Google. - CVE-2026-11301: Out of bounds read in LiveCaption. Reported by Google. - CVE-2026-11302: Insufficient policy enforcement in Chrome for iOS. Reported by Google. - CVE-2026-11303: Use after free in PDFium. Reported by Google. - CVE-2026-11304: Use after free in PDFium. Reported by Google. - CVE-2026-11305: Use after free in PDFium. Reported by Google. - CVE-2026-11306: Use after free in PDFium. Reported by Google. - CVE-2026-11307: Use after free in PDFium. Reported by Google. - CVE-2026-11308: Inappropriate implementation in Extensions. Reported by Google. - CVE-2026-11309: Insufficient policy enforcement in History. Reported by Google. * d/patches: - upstream/turboshaft.patch: drop, merged upstream. - fixes/enable-widevine-on-arm64-linux-platform.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/armhf-icf.patch: refresh. - disable/catapult.patch: refresh. - llvm-19/clang19.patch: add more bits to drop unsupported warning and diagnostic flags. - trixie/gn-inputs.patch: drop portion of patch due to upstream changes. - trixie/gn-inputs2.patch: refresh. - bookworm/bindgen.patch: drop due to upgraded bindgen [sid, trixie]. - bookworm/gn-allowlist.patch: drop due to upgraded generate-ninja [sid, trixie]. - llvm-22/ignore-for-ubsan.patch: update for upstream reworking. - ungoogled/disable-ai.patch: sync from u-c. - ungoogled/disable-privacy-sandbox.patch: sync from u-c. - ungoogled/remove-navigation-source-param.patch: sync from u-c. - trixie/gn-expand-dir-allowlist.patch: add new patch to work around older generate-ninja. - fixes/libcpp-headers.patch: update for upstream changes reworking how this was done. - disable/libei.patch: add patch to fix build failure due to libei removal. - llvm-19/value-or.patch: add another clang-19 build workaround. - llvm-19/const-profile.patch: add patch to work around const-related clang-19 build failure. - rust-1.85/file_as_c_str.patch: rework patch due to upstream changes [trixie, bookworm]. - rust-1.85/zip8.patch: refresh [trixie, bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. * d/copyright: properly delete harfbuzz (due to harfbuzz-ng rename). . [ Daniel Richard G. ] * d/patches: - bookworm/bindgen.patch: Refresh [bookworm]. - bookworm/gn-absl.patch: Update absl_source_set("no_destructor") with visibility directive, and refresh [bookworm]. - rust-1.85/mojo-features.patch: Add feature to new Rust source file [trixie, bookworm]. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch: refresh for upstream changes - third_party/0002-regenerate-xnn-buildgn.patch: refresh for upstream changes - third_party/0005-blink-add-audio-vector-support.patch: refresh for upstream changes - libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: regenerate - third_party/0003-third_party-libvpx-Add-ppc64-generated-config.patch: regenerate - third_party/0001-third_party-libvpx-Disable-vsx-on-ppc64.patch: ensure VSX is disabled until VP9 artifacting can be fixed upstream . [ Jianfeng Liu ] * d/patches: - upstream/0001-Fix-build-for-CPU-yield-on-LoongArch.patch: This is a patch aleady merged to v150 to fix build on loongarch64. - loongarch64/0024-fix-libyuv-lsx.patch: Upstream has bumped the version of libyuv and it has broken build with lsx enabled on loongarch64. Add a patch to fix the build first. chromium (148.0.7778.215-2) unstable; urgency=high . [ Juan Manuel Méndez Rey ] * Team upload. * d/patches/fixes/bytemuck.patch: select bytemuck's core::simd impls by rust version rather than date, fixing FTBFS with rustc 1.95 (which removed core::simd::LaneCount) while still building on rust < 1.95 (trixie/bookworm). Affects the default chromium build too. chromium (148.0.7778.215-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-9872: Out of bounds write in GPU. Reported by cinzinga. - CVE-2026-9873: Use after free in Network. Reported by cinzinga. - CVE-2026-9874: Use after free in Dawn. Reported by Anonymous. - CVE-2026-9875: Out of bounds read in WebGL. Reported by Anonymous. - CVE-2026-9876: Use after free in WebGL. Reported by happy2me. - CVE-2026-9877: Use after free in ANGLE. Reported by Google. - CVE-2026-9878: Use after free in ANGLE. Reported by Google. - CVE-2026-9879: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9880: Insufficient validation of untrusted input in WebGL. Reported by Google. - CVE-2026-9881: Use after free in Bluetooth. Reported by Google. - CVE-2026-9882: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9883: Use after free in Base. Reported by Google. - CVE-2026-9884: Use after free in Browser. Reported by Google. - CVE-2026-9885: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-9886: Use after free in Base. Reported by Google. - CVE-2026-9887: Use after free in Proxy. Reported by Google. - CVE-2026-9888: Use after free in WebView. Reported by Google. - CVE-2026-9889: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-9890: Use after free in XR. Reported by Google. - CVE-2026-9891: Use after free in Extensions. Reported by Google. - CVE-2026-9892: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9893: Use after free in Skia. Reported by Google. - CVE-2026-9894: Use after free in GPU. Reported by tohafrit. - CVE-2026-9895: Out of bounds read in GPU. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-9896: Out of bounds write in V8. Reported by 303f06e3. - CVE-2026-9897: Use after free in DOM. Reported by Google. - CVE-2026-9898: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-9899: Use after free in ANGLE. Reported by Google. - CVE-2026-9900: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9901: Use after free in ANGLE. Reported by Google. - CVE-2026-9902: Use after free in Accessibility. Reported by Google. - CVE-2026-9903: Insufficient validation of untrusted input in Site Isolation. Reported by Google. - CVE-2026-9904: Use after free in ANGLE. Reported by Google. - CVE-2026-9905: Use after free in Accessibility. Reported by Google. - CVE-2026-9906: Out of bounds write in GPU. Reported by Google. - CVE-2026-9907: Out of bounds read in Dawn. Reported by Google. - CVE-2026-9908: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9909: Integer overflow in Skia. Reported by Google. - CVE-2026-9910: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-9911: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9912: Inappropriate implementation in GPU. Reported by Google. - CVE-2026-9913: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-9914: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9915: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9916: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9917: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9918: Inappropriate implementation in Tint. Reported by Google. - CVE-2026-9919: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9920: Uninitialized Use in GPU. Reported by Google. - CVE-2026-9921: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9922: Use after free in GPU. Reported by Google. - CVE-2026-9923: Use after free in Skia. Reported by Google. - CVE-2026-9924: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9925: Use after free in ANGLE. Reported by Google. - CVE-2026-9926: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9927: Use after free in ANGLE. Reported by Google. - CVE-2026-9928: Out of bounds read in ANGLE. Reported by Jeff Muizelaar - Mozilla. - CVE-2026-9929: Inappropriate implementation in WebGL. Reported by Google - CVE-2026-9930: Out of bounds write in Dawn. Reported by Google. - CVE-2026-9931: Use after free in GPU. Reported by Google. - CVE-2026-9932: Use after free in ANGLE. Reported by Google. - CVE-2026-9933: Use after free in Input. Reported by Google. - CVE-2026-9934: Use after free in Aura. Reported by Google. - CVE-2026-9935: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9936: Use after free in GFX. Reported by Google. - CVE-2026-9937: Use after free in UI. Reported by Google. - CVE-2026-9938: Inappropriate implementation in V8. Reported by Google. - CVE-2026-9939: Heap buffer overflow in WebCodecs. Reported by Google. - CVE-2026-9940: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9941: Use after free in ANGLE. Reported by Google. - CVE-2026-9942: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9943: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9944: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9945: Use after free in Media. Reported by Google. - CVE-2026-9946: Use after free in ANGLE. Reported by Google. - CVE-2026-9947: Use after free in XML. Reported by Google. - CVE-2026-9948: Use after free in Views. Reported by Google. - CVE-2026-9949: Use after free in Core. Reported by Google. - CVE-2026-9950: Insufficient validation of untrusted input in iOS. Reported by Google. - CVE-2026-9951: Use after free in UI. Reported by Google. - CVE-2026-9952: Use after free in WebAudio. Reported by Google. - CVE-2026-9953: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9954: Use after free in TabStrip. Reported by yueliu of Microsoft. - CVE-2026-9955: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9956: Use after free in iOS. Reported by Google. - CVE-2026-9957: Use after free in PDF. Reported by Google. - CVE-2026-9958: Use after free in PDFium. Reported by Google. - CVE-2026-9959: Race in WebRTC. Reported by Google. - CVE-2026-9960: Integer overflow in PDFium. Reported by Google. - CVE-2026-9961: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-9962: Use after free in WebRTC. Reported by Google. - CVE-2026-9963: Uninitialized Use in iOS. Reported by Google. - CVE-2026-9964: Use after free in Bluetooth. Reported by Google. - CVE-2026-9965: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9966: Integer overflow in XML. Reported by Google. - CVE-2026-9967: Out of bounds write in GPU. Reported by Google. - CVE-2026-9968: Integer overflow in V8. Reported by Google. - CVE-2026-9969: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9970: Use after free in WebGL. Reported by TFGC. - CVE-2026-9971: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9972: Uninitialized Use in Gamepad. Reported by Google. - CVE-2026-9973: Out of bounds write in V8. Reported by amyb of OpenAI. - CVE-2026-9974: Out of bounds write in GPU. Reported by Google. - CVE-2026-9975: Out of bounds read and write in ANGLE. Reported by Google - CVE-2026-9976: Inappropriate implementation in USB. Reported by Google. - CVE-2026-9977: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-9978: Use after free in Glic. Reported by Google. - CVE-2026-9979: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-9980: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-9981: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9982: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9983: Type Confusion in Skia. Reported by Google. - CVE-2026-9984: Use after free in UI. Reported by Google. - CVE-2026-9985: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-9986: Insufficient validation of untrusted input in OptimizationGuide. Reported by Google. - CVE-2026-9987: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-9988: Use after free in WebRTC. Reported by Google. - CVE-2026-9989: Inappropriate implementation in Media. Reported by Google - CVE-2026-9990: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-9991: Inappropriate implementation in Media. Reported by Google - CVE-2026-9992: Use after free in Network. Reported by Google. - CVE-2026-9993: Use after free in Views. Reported by Google. - CVE-2026-9994: Use after free in Core. Reported by Google. - CVE-2026-9995: Use after free in WebXR. Reported by Google. - CVE-2026-9996: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-9997: Use after free in Input. Reported by Google. - CVE-2026-9998: Integer overflow in Skia. Reported by Google. - CVE-2026-9999: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-10000: Use after free in Passwords. Reported by Google. - CVE-2026-10001: Use after free in PerformanceManager. Reported by Google - CVE-2026-10002: Use after free in PDFium. Reported by Google. - CVE-2026-10003: Use after free in Views. Reported by Google. - CVE-2026-10004: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-10005: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10006: Race in WebAudio. Reported by Google. - CVE-2026-10007: Use after free in SVG. Reported by Google. - CVE-2026-10008: Uninitialized Use in GPU. Reported by Google. - CVE-2026-10009: Integer overflow in Skia. Reported by Google. - CVE-2026-10010: Inappropriate implementation in Input. Reported by Google. - CVE-2026-10011: Inappropriate implementation in Skia. Reported by Google - CVE-2026-10012: Use after free in Skia. Reported by Google. - CVE-2026-10013: Use after free in WebCodecs. Reported by Google. - CVE-2026-10014: Use after free in WebMIDI. Reported by Google. - CVE-2026-10015: Integer overflow in WTF. Reported by Google. - CVE-2026-10016: Use after free in DOM. Reported by pwn2addr. - CVE-2026-10017: Out of bounds read in Headless. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10018: Integer overflow in ANGLE. Reported by Rahul Raj. - CVE-2026-10019: Integer overflow in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10020: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-10021: Insufficient validation of untrusted input in USB. Reported by Google. - CVE-2026-10022: Type Confusion in V8. Reported by ggwhyp. chromium (148.0.7778.215-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-9872: Out of bounds write in GPU. Reported by cinzinga. - CVE-2026-9873: Use after free in Network. Reported by cinzinga. - CVE-2026-9874: Use after free in Dawn. Reported by Anonymous. - CVE-2026-9875: Out of bounds read in WebGL. Reported by Anonymous. - CVE-2026-9876: Use after free in WebGL. Reported by happy2me. - CVE-2026-9877: Use after free in ANGLE. Reported by Google. - CVE-2026-9878: Use after free in ANGLE. Reported by Google. - CVE-2026-9879: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9880: Insufficient validation of untrusted input in WebGL. Reported by Google. - CVE-2026-9881: Use after free in Bluetooth. Reported by Google. - CVE-2026-9882: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9883: Use after free in Base. Reported by Google. - CVE-2026-9884: Use after free in Browser. Reported by Google. - CVE-2026-9885: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-9886: Use after free in Base. Reported by Google. - CVE-2026-9887: Use after free in Proxy. Reported by Google. - CVE-2026-9888: Use after free in WebView. Reported by Google. - CVE-2026-9889: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-9890: Use after free in XR. Reported by Google. - CVE-2026-9891: Use after free in Extensions. Reported by Google. - CVE-2026-9892: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9893: Use after free in Skia. Reported by Google. - CVE-2026-9894: Use after free in GPU. Reported by tohafrit. - CVE-2026-9895: Out of bounds read in GPU. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-9896: Out of bounds write in V8. Reported by 303f06e3. - CVE-2026-9897: Use after free in DOM. Reported by Google. - CVE-2026-9898: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-9899: Use after free in ANGLE. Reported by Google. - CVE-2026-9900: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9901: Use after free in ANGLE. Reported by Google. - CVE-2026-9902: Use after free in Accessibility. Reported by Google. - CVE-2026-9903: Insufficient validation of untrusted input in Site Isolation. Reported by Google. - CVE-2026-9904: Use after free in ANGLE. Reported by Google. - CVE-2026-9905: Use after free in Accessibility. Reported by Google. - CVE-2026-9906: Out of bounds write in GPU. Reported by Google. - CVE-2026-9907: Out of bounds read in Dawn. Reported by Google. - CVE-2026-9908: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9909: Integer overflow in Skia. Reported by Google. - CVE-2026-9910: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-9911: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9912: Inappropriate implementation in GPU. Reported by Google. - CVE-2026-9913: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-9914: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9915: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9916: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9917: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9918: Inappropriate implementation in Tint. Reported by Google. - CVE-2026-9919: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9920: Uninitialized Use in GPU. Reported by Google. - CVE-2026-9921: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9922: Use after free in GPU. Reported by Google. - CVE-2026-9923: Use after free in Skia. Reported by Google. - CVE-2026-9924: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9925: Use after free in ANGLE. Reported by Google. - CVE-2026-9926: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9927: Use after free in ANGLE. Reported by Google. - CVE-2026-9928: Out of bounds read in ANGLE. Reported by Jeff Muizelaar - Mozilla. - CVE-2026-9929: Inappropriate implementation in WebGL. Reported by Google - CVE-2026-9930: Out of bounds write in Dawn. Reported by Google. - CVE-2026-9931: Use after free in GPU. Reported by Google. - CVE-2026-9932: Use after free in ANGLE. Reported by Google. - CVE-2026-9933: Use after free in Input. Reported by Google. - CVE-2026-9934: Use after free in Aura. Reported by Google. - CVE-2026-9935: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9936: Use after free in GFX. Reported by Google. - CVE-2026-9937: Use after free in UI. Reported by Google. - CVE-2026-9938: Inappropriate implementation in V8. Reported by Google. - CVE-2026-9939: Heap buffer overflow in WebCodecs. Reported by Google. - CVE-2026-9940: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9941: Use after free in ANGLE. Reported by Google. - CVE-2026-9942: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9943: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9944: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9945: Use after free in Media. Reported by Google. - CVE-2026-9946: Use after free in ANGLE. Reported by Google. - CVE-2026-9947: Use after free in XML. Reported by Google. - CVE-2026-9948: Use after free in Views. Reported by Google. - CVE-2026-9949: Use after free in Core. Reported by Google. - CVE-2026-9950: Insufficient validation of untrusted input in iOS. Reported by Google. - CVE-2026-9951: Use after free in UI. Reported by Google. - CVE-2026-9952: Use after free in WebAudio. Reported by Google. - CVE-2026-9953: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9954: Use after free in TabStrip. Reported by yueliu of Microsoft. - CVE-2026-9955: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9956: Use after free in iOS. Reported by Google. - CVE-2026-9957: Use after free in PDF. Reported by Google. - CVE-2026-9958: Use after free in PDFium. Reported by Google. - CVE-2026-9959: Race in WebRTC. Reported by Google. - CVE-2026-9960: Integer overflow in PDFium. Reported by Google. - CVE-2026-9961: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-9962: Use after free in WebRTC. Reported by Google. - CVE-2026-9963: Uninitialized Use in iOS. Reported by Google. - CVE-2026-9964: Use after free in Bluetooth. Reported by Google. - CVE-2026-9965: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9966: Integer overflow in XML. Reported by Google. - CVE-2026-9967: Out of bounds write in GPU. Reported by Google. - CVE-2026-9968: Integer overflow in V8. Reported by Google. - CVE-2026-9969: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9970: Use after free in WebGL. Reported by TFGC. - CVE-2026-9971: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9972: Uninitialized Use in Gamepad. Reported by Google. - CVE-2026-9973: Out of bounds write in V8. Reported by amyb of OpenAI. - CVE-2026-9974: Out of bounds write in GPU. Reported by Google. - CVE-2026-9975: Out of bounds read and write in ANGLE. Reported by Google - CVE-2026-9976: Inappropriate implementation in USB. Reported by Google. - CVE-2026-9977: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-9978: Use after free in Glic. Reported by Google. - CVE-2026-9979: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-9980: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-9981: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9982: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9983: Type Confusion in Skia. Reported by Google. - CVE-2026-9984: Use after free in UI. Reported by Google. - CVE-2026-9985: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-9986: Insufficient validation of untrusted input in OptimizationGuide. Reported by Google. - CVE-2026-9987: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-9988: Use after free in WebRTC. Reported by Google. - CVE-2026-9989: Inappropriate implementation in Media. Reported by Google - CVE-2026-9990: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-9991: Inappropriate implementation in Media. Reported by Google - CVE-2026-9992: Use after free in Network. Reported by Google. - CVE-2026-9993: Use after free in Views. Reported by Google. - CVE-2026-9994: Use after free in Core. Reported by Google. - CVE-2026-9995: Use after free in WebXR. Reported by Google. - CVE-2026-9996: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-9997: Use after free in Input. Reported by Google. - CVE-2026-9998: Integer overflow in Skia. Reported by Google. - CVE-2026-9999: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-10000: Use after free in Passwords. Reported by Google. - CVE-2026-10001: Use after free in PerformanceManager. Reported by Google - CVE-2026-10002: Use after free in PDFium. Reported by Google. - CVE-2026-10003: Use after free in Views. Reported by Google. - CVE-2026-10004: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-10005: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10006: Race in WebAudio. Reported by Google. - CVE-2026-10007: Use after free in SVG. Reported by Google. - CVE-2026-10008: Uninitialized Use in GPU. Reported by Google. - CVE-2026-10009: Integer overflow in Skia. Reported by Google. - CVE-2026-10010: Inappropriate implementation in Input. Reported by Google. - CVE-2026-10011: Inappropriate implementation in Skia. Reported by Google - CVE-2026-10012: Use after free in Skia. Reported by Google. - CVE-2026-10013: Use after free in WebCodecs. Reported by Google. - CVE-2026-10014: Use after free in WebMIDI. Reported by Google. - CVE-2026-10015: Integer overflow in WTF. Reported by Google. - CVE-2026-10016: Use after free in DOM. Reported by pwn2addr. - CVE-2026-10017: Out of bounds read in Headless. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10018: Integer overflow in ANGLE. Reported by Rahul Raj. - CVE-2026-10019: Integer overflow in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10020: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-10021: Insufficient validation of untrusted input in USB. Reported by Google. - CVE-2026-10022: Type Confusion in V8. Reported by ggwhyp. chromium (148.0.7778.215-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-9872: Out of bounds write in GPU. Reported by cinzinga. - CVE-2026-9873: Use after free in Network. Reported by cinzinga. - CVE-2026-9874: Use after free in Dawn. Reported by Anonymous. - CVE-2026-9875: Out of bounds read in WebGL. Reported by Anonymous. - CVE-2026-9876: Use after free in WebGL. Reported by happy2me. - CVE-2026-9877: Use after free in ANGLE. Reported by Google. - CVE-2026-9878: Use after free in ANGLE. Reported by Google. - CVE-2026-9879: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9880: Insufficient validation of untrusted input in WebGL. Reported by Google. - CVE-2026-9881: Use after free in Bluetooth. Reported by Google. - CVE-2026-9882: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9883: Use after free in Base. Reported by Google. - CVE-2026-9884: Use after free in Browser. Reported by Google. - CVE-2026-9885: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-9886: Use after free in Base. Reported by Google. - CVE-2026-9887: Use after free in Proxy. Reported by Google. - CVE-2026-9888: Use after free in WebView. Reported by Google. - CVE-2026-9889: Out of bounds read and write in Dawn. Reported by Google. - CVE-2026-9890: Use after free in XR. Reported by Google. - CVE-2026-9891: Use after free in Extensions. Reported by Google. - CVE-2026-9892: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9893: Use after free in Skia. Reported by Google. - CVE-2026-9894: Use after free in GPU. Reported by tohafrit. - CVE-2026-9895: Out of bounds read in GPU. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-9896: Out of bounds write in V8. Reported by 303f06e3. - CVE-2026-9897: Use after free in DOM. Reported by Google. - CVE-2026-9898: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-9899: Use after free in ANGLE. Reported by Google. - CVE-2026-9900: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9901: Use after free in ANGLE. Reported by Google. - CVE-2026-9902: Use after free in Accessibility. Reported by Google. - CVE-2026-9903: Insufficient validation of untrusted input in Site Isolation. Reported by Google. - CVE-2026-9904: Use after free in ANGLE. Reported by Google. - CVE-2026-9905: Use after free in Accessibility. Reported by Google. - CVE-2026-9906: Out of bounds write in GPU. Reported by Google. - CVE-2026-9907: Out of bounds read in Dawn. Reported by Google. - CVE-2026-9908: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9909: Integer overflow in Skia. Reported by Google. - CVE-2026-9910: Out of bounds memory access in ANGLE. Reported by Google. - CVE-2026-9911: Integer overflow in ANGLE. Reported by Google. - CVE-2026-9912: Inappropriate implementation in GPU. Reported by Google. - CVE-2026-9913: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-9914: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9915: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9916: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9917: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9918: Inappropriate implementation in Tint. Reported by Google. - CVE-2026-9919: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9920: Uninitialized Use in GPU. Reported by Google. - CVE-2026-9921: Uninitialized Use in WebGL. Reported by Google. - CVE-2026-9922: Use after free in GPU. Reported by Google. - CVE-2026-9923: Use after free in Skia. Reported by Google. - CVE-2026-9924: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9925: Use after free in ANGLE. Reported by Google. - CVE-2026-9926: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9927: Use after free in ANGLE. Reported by Google. - CVE-2026-9928: Out of bounds read in ANGLE. Reported by Jeff Muizelaar - Mozilla. - CVE-2026-9929: Inappropriate implementation in WebGL. Reported by Google - CVE-2026-9930: Out of bounds write in Dawn. Reported by Google. - CVE-2026-9931: Use after free in GPU. Reported by Google. - CVE-2026-9932: Use after free in ANGLE. Reported by Google. - CVE-2026-9933: Use after free in Input. Reported by Google. - CVE-2026-9934: Use after free in Aura. Reported by Google. - CVE-2026-9935: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9936: Use after free in GFX. Reported by Google. - CVE-2026-9937: Use after free in UI. Reported by Google. - CVE-2026-9938: Inappropriate implementation in V8. Reported by Google. - CVE-2026-9939: Heap buffer overflow in WebCodecs. Reported by Google. - CVE-2026-9940: Heap buffer overflow in ANGLE. Reported by Google. - CVE-2026-9941: Use after free in ANGLE. Reported by Google. - CVE-2026-9942: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9943: Out of bounds read in WebGL. Reported by Google. - CVE-2026-9944: Uninitialized Use in ANGLE. Reported by Google. - CVE-2026-9945: Use after free in Media. Reported by Google. - CVE-2026-9946: Use after free in ANGLE. Reported by Google. - CVE-2026-9947: Use after free in XML. Reported by Google. - CVE-2026-9948: Use after free in Views. Reported by Google. - CVE-2026-9949: Use after free in Core. Reported by Google. - CVE-2026-9950: Insufficient validation of untrusted input in iOS. Reported by Google. - CVE-2026-9951: Use after free in UI. Reported by Google. - CVE-2026-9952: Use after free in WebAudio. Reported by Google. - CVE-2026-9953: Out of bounds read in ANGLE. Reported by Google. - CVE-2026-9954: Use after free in TabStrip. Reported by yueliu of Microsoft. - CVE-2026-9955: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9956: Use after free in iOS. Reported by Google. - CVE-2026-9957: Use after free in PDF. Reported by Google. - CVE-2026-9958: Use after free in PDFium. Reported by Google. - CVE-2026-9959: Race in WebRTC. Reported by Google. - CVE-2026-9960: Integer overflow in PDFium. Reported by Google. - CVE-2026-9961: Use after free in SurfaceCapture. Reported by Google. - CVE-2026-9962: Use after free in WebRTC. Reported by Google. - CVE-2026-9963: Uninitialized Use in iOS. Reported by Google. - CVE-2026-9964: Use after free in Bluetooth. Reported by Google. - CVE-2026-9965: Out of bounds write in ANGLE. Reported by Google. - CVE-2026-9966: Integer overflow in XML. Reported by Google. - CVE-2026-9967: Out of bounds write in GPU. Reported by Google. - CVE-2026-9968: Integer overflow in V8. Reported by Google. - CVE-2026-9969: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9970: Use after free in WebGL. Reported by TFGC. - CVE-2026-9971: Inappropriate implementation in iOS. Reported by Google. - CVE-2026-9972: Uninitialized Use in Gamepad. Reported by Google. - CVE-2026-9973: Out of bounds write in V8. Reported by amyb of OpenAI. - CVE-2026-9974: Out of bounds write in GPU. Reported by Google. - CVE-2026-9975: Out of bounds read and write in ANGLE. Reported by Google - CVE-2026-9976: Inappropriate implementation in USB. Reported by Google. - CVE-2026-9977: Insufficient validation of untrusted input in WebShare. Reported by Google. - CVE-2026-9978: Use after free in Glic. Reported by Google. - CVE-2026-9979: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-9980: Insufficient validation of untrusted input in Printing. Reported by Google. - CVE-2026-9981: Inappropriate implementation in Skia. Reported by Google. - CVE-2026-9982: Insufficient validation of untrusted input in ANGLE. Reported by Google. - CVE-2026-9983: Type Confusion in Skia. Reported by Google. - CVE-2026-9984: Use after free in UI. Reported by Google. - CVE-2026-9985: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-9986: Insufficient validation of untrusted input in OptimizationGuide. Reported by Google. - CVE-2026-9987: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google. - CVE-2026-9988: Use after free in WebRTC. Reported by Google. - CVE-2026-9989: Inappropriate implementation in Media. Reported by Google - CVE-2026-9990: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-9991: Inappropriate implementation in Media. Reported by Google - CVE-2026-9992: Use after free in Network. Reported by Google. - CVE-2026-9993: Use after free in Views. Reported by Google. - CVE-2026-9994: Use after free in Core. Reported by Google. - CVE-2026-9995: Use after free in WebXR. Reported by Google. - CVE-2026-9996: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-9997: Use after free in Input. Reported by Google. - CVE-2026-9998: Integer overflow in Skia. Reported by Google. - CVE-2026-9999: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-10000: Use after free in Passwords. Reported by Google. - CVE-2026-10001: Use after free in PerformanceManager. Reported by Google - CVE-2026-10002: Use after free in PDFium. Reported by Google. - CVE-2026-10003: Use after free in Views. Reported by Google. - CVE-2026-10004: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-10005: Use after free in WebAppInstalls. Reported by Google. - CVE-2026-10006: Race in WebAudio. Reported by Google. - CVE-2026-10007: Use after free in SVG. Reported by Google. - CVE-2026-10008: Uninitialized Use in GPU. Reported by Google. - CVE-2026-10009: Integer overflow in Skia. Reported by Google. - CVE-2026-10010: Inappropriate implementation in Input. Reported by Google. - CVE-2026-10011: Inappropriate implementation in Skia. Reported by Google - CVE-2026-10012: Use after free in Skia. Reported by Google. - CVE-2026-10013: Use after free in WebCodecs. Reported by Google. - CVE-2026-10014: Use after free in WebMIDI. Reported by Google. - CVE-2026-10015: Integer overflow in WTF. Reported by Google. - CVE-2026-10016: Use after free in DOM. Reported by pwn2addr. - CVE-2026-10017: Out of bounds read in Headless. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-10018: Integer overflow in ANGLE. Reported by Rahul Raj. - CVE-2026-10019: Integer overflow in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com). - CVE-2026-10020: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-10021: Insufficient validation of untrusted input in USB. Reported by Google. - CVE-2026-10022: Type Confusion in V8. Reported by ggwhyp. chromium (148.0.7778.178-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. chromium (148.0.7778.178-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-9111: Use after free in WebRTC. Reported by Google. - CVE-2026-9110: Inappropriate implementation in UI. Reported by Google. - CVE-2026-9112: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9113: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9114: Use after free in QUIC. Reported by Google. - CVE-2026-9115: Insufficient policy enforcement in Service Worker. Reported by Google. - CVE-2026-9116: Insufficient policy enforcement in ServiceWorker. Reported by Google. - CVE-2026-9117: Type Confusion in GFX. Reported by Google. - CVE-2026-9118: Use after free in XR. Reported by Google. - CVE-2026-9119: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-9120: Use after free in WebRTC. Reported by Google. - CVE-2026-9126: Use after free in DOM. Reported by Google. - CVE-2026-9121: Out of bounds read in GPU. Reported by David Korczynski (Adalogics) . - CVE-2026-9122: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9123: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-9124: Insufficient validation of untrusted input in Input. Reported by Google. chromium (148.0.7778.178-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-9111: Use after free in WebRTC. Reported by Google. - CVE-2026-9110: Inappropriate implementation in UI. Reported by Google. - CVE-2026-9112: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9113: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9114: Use after free in QUIC. Reported by Google. - CVE-2026-9115: Insufficient policy enforcement in Service Worker. Reported by Google. - CVE-2026-9116: Insufficient policy enforcement in ServiceWorker. Reported by Google. - CVE-2026-9117: Type Confusion in GFX. Reported by Google. - CVE-2026-9118: Use after free in XR. Reported by Google. - CVE-2026-9119: Heap buffer overflow in WebRTC. Reported by Google. - CVE-2026-9120: Use after free in WebRTC. Reported by Google. - CVE-2026-9126: Use after free in DOM. Reported by Google. - CVE-2026-9121: Out of bounds read in GPU. Reported by David Korczynski (Adalogics) . - CVE-2026-9122: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-9123: Heap buffer overflow in Chromecast. Reported by Google. - CVE-2026-9124: Insufficient validation of untrusted input in Input. Reported by Google. chromium (148.0.7778.167-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-8509: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8510: Integer overflow in Skia. Reported by q@calif.io. - CVE-2026-8511: Use after free in UI. Reported by Google. - CVE-2026-8512: Use after free in FileSystem. Reported by Google. - CVE-2026-8513: Use after free in Input. Reported by Google. - CVE-2026-8514: Use after free in Aura. Reported by Google. - CVE-2026-8515: Use after free in HID. Reported by Google. - CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-8517: Object lifecycle issue in WebShare. Reported by Google. - CVE-2026-8518: Use after free in Blink. Reported by Google. - CVE-2026-8519: Integer overflow in ANGLE. Reported by Google. - CVE-2026-8520: Race in Payments. Reported by Google. - CVE-2026-8521: Use after free in Tab Groups. Reported by Google. - CVE-2026-8522: Use after free in Downloads. Reported by Google. - CVE-2026-8523: Use after free in Mojo. Reported by Paul Seekamp / nullenc0de. - CVE-2026-8558: Out of bounds write in Fonts. Reported by Matej Smycka. - CVE-2026-8524: Out of bounds write in WebAudio. Reported by Brendan Dolan-Gavitt, XBOW. - CVE-2026-8525: Heap buffer overflow in ANGLE. Reported by Nathaniel Oh (@calysteon). - CVE-2026-8526: Out of bounds write in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8527: Insufficient validation of untrusted input in Downloads. Reported by rachmat.abdul.ro. - CVE-2026-8528: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8529: Heap buffer overflow in Codecs. Reported by Google. - CVE-2026-8530: Use after free in Network. Reported by Google. - CVE-2026-8531: Heap buffer overflow in WebML. Reported by Syn4pse. - CVE-2026-8532: Integer overflow in XML. Reported by Google. - CVE-2026-8533: Use after free in Accessibility. Reported by Google. - CVE-2026-8534: Integer overflow in GPU. Reported by Google. - CVE-2026-8535: Out of bounds read in Media. Reported by Google. - CVE-2026-8536: Insufficient validation of untrusted input in ReadingMode. Reported by Google. - CVE-2026-8537: Insufficient policy enforcement in ViewTransitions. Reported by Google. - CVE-2026-8538: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-8539: Script injection in SanitizerAPI. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-8540: Type Confusion in V8. Reported by Google. - CVE-2026-8541: Out of bounds read in UI. Reported by Google. - CVE-2026-8542: Use after free in Core. Reported by Google. - CVE-2026-8543: Out of bounds read in FileSystem. Reported by Google. - CVE-2026-8544: Use after free in Media. Reported by Google. - CVE-2026-8545: Object corruption in Compositing. Reported by Google. - CVE-2026-8546: Out of bounds read in GPU. Reported by Google. - CVE-2026-8547: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-8548: Out of bounds write in Media. Reported by Google. - CVE-2026-8549: Use after free in Media. Reported by Google. - CVE-2026-8550: Use after free in Google Lens. Reported by Google. - CVE-2026-8551: Use after free in Downloads. Reported by Google. - CVE-2026-8552: Heap buffer overflow in GPU. Reported by Google. - CVE-2026-8553: Use after free in GPU. Reported by Google. - CVE-2026-8554: Type Confusion in ANGLE. Reported by Google. - CVE-2026-8555: Use after free in GTK. Reported by Google. - CVE-2026-8556: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-8557: Use after free in Accessibility. Reported by Google. - CVE-2026-8559: Integer overflow in Internationalization. Reported by Google. - CVE-2026-8560: Heap buffer overflow in SwiftShader. Reported by Cassidy Kim(@cassidy6564). - CVE-2026-8561: Incorrect security UI in Fullscreen. Reported by Wolfgang Ettlinger (aff. Certitude Consulting GmbH) Alexander Hurbean (aff. Certitude Consulting GmbH). - CVE-2026-8562: Side-channel information leakage in Navigation. Reported by Google. - CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox. Reported by Luan Herrera (@lbherrera_). - CVE-2026-8564: Incorrect security UI in Downloads. Reported by Alesandro Ortiz https://AlesandroOrtiz.com. - CVE-2026-8565: Inappropriate implementation in Downloads. Reported by Farras Givari. - CVE-2026-8566: Insufficient policy enforcement in Payments. Reported by Jorian Woltjer. - CVE-2026-8567: Integer overflow in ANGLE. Reported by cinzinga. - CVE-2026-8568: Insufficient policy enforcement in AI. Reported by Tianyi Hu. - CVE-2026-8569: Out of bounds write in Codecs. Reported by Google. - CVE-2026-8570: Type Confusion in V8. Reported by Google. - CVE-2026-8571: Insufficient policy enforcement in GPU. Reported by Mark Blaszczyk. - CVE-2026-8572: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-8573: Integer overflow in Codecs. Reported by Google. - CVE-2026-8574: Use after free in Core. Reported by Google. - CVE-2026-8575: Use after free in UI. Reported by Google. - CVE-2026-8576: Inappropriate implementation in CORS. Reported by Google - CVE-2026-8577: Integer overflow in Fonts. Reported by Google. - CVE-2026-8578: Out of bounds read in GPU. Reported by Google. - CVE-2026-8579: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-8580: Use after free in Mojo. Reported by Google. - CVE-2026-8581: Use after free in GPU. Reported by Google. - CVE-2026-8582: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-8583: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-8584: Inappropriate implementation in Views. Reported by Google - CVE-2026-8585: Inappropriate implementation in Media. Reported by Google - CVE-2026-8586: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-8587: Use after free in Extensions. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. * rust-1.85/file_as_c_str.patch: fix build on non-x86 archs, as char* signed-ness is apparently different there versus arm & ppc64 [trixie, bookworm]. chromium (148.0.7778.167-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-8509: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8510: Integer overflow in Skia. Reported by q@calif.io. - CVE-2026-8511: Use after free in UI. Reported by Google. - CVE-2026-8512: Use after free in FileSystem. Reported by Google. - CVE-2026-8513: Use after free in Input. Reported by Google. - CVE-2026-8514: Use after free in Aura. Reported by Google. - CVE-2026-8515: Use after free in HID. Reported by Google. - CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-8517: Object lifecycle issue in WebShare. Reported by Google. - CVE-2026-8518: Use after free in Blink. Reported by Google. - CVE-2026-8519: Integer overflow in ANGLE. Reported by Google. - CVE-2026-8520: Race in Payments. Reported by Google. - CVE-2026-8521: Use after free in Tab Groups. Reported by Google. - CVE-2026-8522: Use after free in Downloads. Reported by Google. - CVE-2026-8523: Use after free in Mojo. Reported by Paul Seekamp / nullenc0de. - CVE-2026-8558: Out of bounds write in Fonts. Reported by Matej Smycka. - CVE-2026-8524: Out of bounds write in WebAudio. Reported by Brendan Dolan-Gavitt, XBOW. - CVE-2026-8525: Heap buffer overflow in ANGLE. Reported by Nathaniel Oh (@calysteon). - CVE-2026-8526: Out of bounds write in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8527: Insufficient validation of untrusted input in Downloads. Reported by rachmat.abdul.ro. - CVE-2026-8528: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8529: Heap buffer overflow in Codecs. Reported by Google. - CVE-2026-8530: Use after free in Network. Reported by Google. - CVE-2026-8531: Heap buffer overflow in WebML. Reported by Syn4pse. - CVE-2026-8532: Integer overflow in XML. Reported by Google. - CVE-2026-8533: Use after free in Accessibility. Reported by Google. - CVE-2026-8534: Integer overflow in GPU. Reported by Google. - CVE-2026-8535: Out of bounds read in Media. Reported by Google. - CVE-2026-8536: Insufficient validation of untrusted input in ReadingMode. Reported by Google. - CVE-2026-8537: Insufficient policy enforcement in ViewTransitions. Reported by Google. - CVE-2026-8538: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-8539: Script injection in SanitizerAPI. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-8540: Type Confusion in V8. Reported by Google. - CVE-2026-8541: Out of bounds read in UI. Reported by Google. - CVE-2026-8542: Use after free in Core. Reported by Google. - CVE-2026-8543: Out of bounds read in FileSystem. Reported by Google. - CVE-2026-8544: Use after free in Media. Reported by Google. - CVE-2026-8545: Object corruption in Compositing. Reported by Google. - CVE-2026-8546: Out of bounds read in GPU. Reported by Google. - CVE-2026-8547: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-8548: Out of bounds write in Media. Reported by Google. - CVE-2026-8549: Use after free in Media. Reported by Google. - CVE-2026-8550: Use after free in Google Lens. Reported by Google. - CVE-2026-8551: Use after free in Downloads. Reported by Google. - CVE-2026-8552: Heap buffer overflow in GPU. Reported by Google. - CVE-2026-8553: Use after free in GPU. Reported by Google. - CVE-2026-8554: Type Confusion in ANGLE. Reported by Google. - CVE-2026-8555: Use after free in GTK. Reported by Google. - CVE-2026-8556: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-8557: Use after free in Accessibility. Reported by Google. - CVE-2026-8559: Integer overflow in Internationalization. Reported by Google. - CVE-2026-8560: Heap buffer overflow in SwiftShader. Reported by Cassidy Kim(@cassidy6564). - CVE-2026-8561: Incorrect security UI in Fullscreen. Reported by Wolfgang Ettlinger (aff. Certitude Consulting GmbH) Alexander Hurbean (aff. Certitude Consulting GmbH). - CVE-2026-8562: Side-channel information leakage in Navigation. Reported by Google. - CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox. Reported by Luan Herrera (@lbherrera_). - CVE-2026-8564: Incorrect security UI in Downloads. Reported by Alesandro Ortiz https://AlesandroOrtiz.com. - CVE-2026-8565: Inappropriate implementation in Downloads. Reported by Farras Givari. - CVE-2026-8566: Insufficient policy enforcement in Payments. Reported by Jorian Woltjer. - CVE-2026-8567: Integer overflow in ANGLE. Reported by cinzinga. - CVE-2026-8568: Insufficient policy enforcement in AI. Reported by Tianyi Hu. - CVE-2026-8569: Out of bounds write in Codecs. Reported by Google. - CVE-2026-8570: Type Confusion in V8. Reported by Google. - CVE-2026-8571: Insufficient policy enforcement in GPU. Reported by Mark Blaszczyk. - CVE-2026-8572: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-8573: Integer overflow in Codecs. Reported by Google. - CVE-2026-8574: Use after free in Core. Reported by Google. - CVE-2026-8575: Use after free in UI. Reported by Google. - CVE-2026-8576: Inappropriate implementation in CORS. Reported by Google - CVE-2026-8577: Integer overflow in Fonts. Reported by Google. - CVE-2026-8578: Out of bounds read in GPU. Reported by Google. - CVE-2026-8579: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-8580: Use after free in Mojo. Reported by Google. - CVE-2026-8581: Use after free in GPU. Reported by Google. - CVE-2026-8582: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-8583: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-8584: Inappropriate implementation in Views. Reported by Google - CVE-2026-8585: Inappropriate implementation in Media. Reported by Google - CVE-2026-8586: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-8587: Use after free in Extensions. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. * rust-1.85/file_as_c_str.patch: fix build on non-x86 archs, as char* signed-ness is apparently different there versus arm & ppc64 [trixie, bookworm]. chromium (148.0.7778.167-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-8509: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8510: Integer overflow in Skia. Reported by q@calif.io. - CVE-2026-8511: Use after free in UI. Reported by Google. - CVE-2026-8512: Use after free in FileSystem. Reported by Google. - CVE-2026-8513: Use after free in Input. Reported by Google. - CVE-2026-8514: Use after free in Aura. Reported by Google. - CVE-2026-8515: Use after free in HID. Reported by Google. - CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer. Reported by Google. - CVE-2026-8517: Object lifecycle issue in WebShare. Reported by Google. - CVE-2026-8518: Use after free in Blink. Reported by Google. - CVE-2026-8519: Integer overflow in ANGLE. Reported by Google. - CVE-2026-8520: Race in Payments. Reported by Google. - CVE-2026-8521: Use after free in Tab Groups. Reported by Google. - CVE-2026-8522: Use after free in Downloads. Reported by Google. - CVE-2026-8523: Use after free in Mojo. Reported by Paul Seekamp / nullenc0de. - CVE-2026-8558: Out of bounds write in Fonts. Reported by Matej Smycka. - CVE-2026-8524: Out of bounds write in WebAudio. Reported by Brendan Dolan-Gavitt, XBOW. - CVE-2026-8525: Heap buffer overflow in ANGLE. Reported by Nathaniel Oh (@calysteon). - CVE-2026-8526: Out of bounds write in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8527: Insufficient validation of untrusted input in Downloads. Reported by rachmat.abdul.ro. - CVE-2026-8528: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8529: Heap buffer overflow in Codecs. Reported by Google. - CVE-2026-8530: Use after free in Network. Reported by Google. - CVE-2026-8531: Heap buffer overflow in WebML. Reported by Syn4pse. - CVE-2026-8532: Integer overflow in XML. Reported by Google. - CVE-2026-8533: Use after free in Accessibility. Reported by Google. - CVE-2026-8534: Integer overflow in GPU. Reported by Google. - CVE-2026-8535: Out of bounds read in Media. Reported by Google. - CVE-2026-8536: Insufficient validation of untrusted input in ReadingMode. Reported by Google. - CVE-2026-8537: Insufficient policy enforcement in ViewTransitions. Reported by Google. - CVE-2026-8538: Insufficient validation of untrusted input in GPU. Reported by Google. - CVE-2026-8539: Script injection in SanitizerAPI. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-8540: Type Confusion in V8. Reported by Google. - CVE-2026-8541: Out of bounds read in UI. Reported by Google. - CVE-2026-8542: Use after free in Core. Reported by Google. - CVE-2026-8543: Out of bounds read in FileSystem. Reported by Google. - CVE-2026-8544: Use after free in Media. Reported by Google. - CVE-2026-8545: Object corruption in Compositing. Reported by Google. - CVE-2026-8546: Out of bounds read in GPU. Reported by Google. - CVE-2026-8547: Insufficient policy enforcement in Passwords. Reported by Google. - CVE-2026-8548: Out of bounds write in Media. Reported by Google. - CVE-2026-8549: Use after free in Media. Reported by Google. - CVE-2026-8550: Use after free in Google Lens. Reported by Google. - CVE-2026-8551: Use after free in Downloads. Reported by Google. - CVE-2026-8552: Heap buffer overflow in GPU. Reported by Google. - CVE-2026-8553: Use after free in GPU. Reported by Google. - CVE-2026-8554: Type Confusion in ANGLE. Reported by Google. - CVE-2026-8555: Use after free in GTK. Reported by Google. - CVE-2026-8556: Inappropriate implementation in ANGLE. Reported by Google - CVE-2026-8557: Use after free in Accessibility. Reported by Google. - CVE-2026-8559: Integer overflow in Internationalization. Reported by Google. - CVE-2026-8560: Heap buffer overflow in SwiftShader. Reported by Cassidy Kim(@cassidy6564). - CVE-2026-8561: Incorrect security UI in Fullscreen. Reported by Wolfgang Ettlinger (aff. Certitude Consulting GmbH) Alexander Hurbean (aff. Certitude Consulting GmbH). - CVE-2026-8562: Side-channel information leakage in Navigation. Reported by Google. - CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox. Reported by Luan Herrera (@lbherrera_). - CVE-2026-8564: Incorrect security UI in Downloads. Reported by Alesandro Ortiz https://AlesandroOrtiz.com. - CVE-2026-8565: Inappropriate implementation in Downloads. Reported by Farras Givari. - CVE-2026-8566: Insufficient policy enforcement in Payments. Reported by Jorian Woltjer. - CVE-2026-8567: Integer overflow in ANGLE. Reported by cinzinga. - CVE-2026-8568: Insufficient policy enforcement in AI. Reported by Tianyi Hu. - CVE-2026-8569: Out of bounds write in Codecs. Reported by Google. - CVE-2026-8570: Type Confusion in V8. Reported by Google. - CVE-2026-8571: Insufficient policy enforcement in GPU. Reported by Mark Blaszczyk. - CVE-2026-8572: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-8573: Integer overflow in Codecs. Reported by Google. - CVE-2026-8574: Use after free in Core. Reported by Google. - CVE-2026-8575: Use after free in UI. Reported by Google. - CVE-2026-8576: Inappropriate implementation in CORS. Reported by Google - CVE-2026-8577: Integer overflow in Fonts. Reported by Google. - CVE-2026-8578: Out of bounds read in GPU. Reported by Google. - CVE-2026-8579: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-8580: Use after free in Mojo. Reported by Google. - CVE-2026-8581: Use after free in GPU. Reported by Google. - CVE-2026-8582: Object lifecycle issue in Dawn. Reported by Google. - CVE-2026-8583: Insufficient policy enforcement in WebXR. Reported by Google. - CVE-2026-8584: Inappropriate implementation in Views. Reported by Google - CVE-2026-8585: Inappropriate implementation in Media. Reported by Google - CVE-2026-8586: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-8587: Use after free in Extensions. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. * rust-1.85/file_as_c_str.patch: fix build on non-x86 archs, as char* signed-ness is apparently different there versus arm & ppc64 [trixie, bookworm]. chromium (148.0.7778.96-3) unstable; urgency=high . [ Andres Salomon ] * d/control: switch to hardcoding esbuild-wasm build-dep, since buildds aren't smart enough to handle OR build-deps. chromium (148.0.7778.96-2) unstable; urgency=high . [ Andres Salomon ] * d/rules: update for new script path in debian's esbuild package (maintaining backwards compatibility with older esbuild packages). * d/control: add build-dep on esbuild-wasm for sid but not older distributions. chromium (148.0.7778.96-1) unstable; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-7896: Integer overflow in Blink. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7897: Use after free in Mobile. Reported by Google. - CVE-2026-7898: Use after free in Chromoting. Reported by Google. - CVE-2026-7899: Out of bounds read and write in V8. Reported by Project WhatForLunch (@pjwhatforlunch). - CVE-2026-7900: Heap buffer overflow in ANGLE. Reported by Anonymous. - CVE-2026-7901: Use after free in ANGLE. Reported by Syn4pse (@ret2happy) - CVE-2026-7902: Out of bounds memory access in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-7903: Integer overflow in ANGLE. Reported by heesun. - CVE-2026-7904: Out of bounds read in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7905: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-7906: Use after free in SVG. Reported by Google. - CVE-2026-7907: Use after free in DOM. Reported by Google. - CVE-2026-7908: Use after free in Fullscreen. Reported by Google. - CVE-2026-7909: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7910: Use after free in Views. Reported by Google. - CVE-2026-7911: Use after free in Aura. Reported by Google. - CVE-2026-7912: Integer overflow in GPU. Reported by Google. - CVE-2026-7913: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-7914: Type Confusion in Accessibility. Reported by Google. - CVE-2026-7915: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-7916: Insufficient data validation in InterestGroups. Reported by Google. - CVE-2026-7917: Use after free in Fullscreen. Reported by Google. - CVE-2026-7918: Use after free in GPU. Reported by Google. - CVE-2026-7919: Use after free in Aura. Reported by Google. - CVE-2026-7920: Use after free in Skia. Reported by Google. - CVE-2026-7921: Use after free in Passwords. Reported by Google. - CVE-2026-7922: Use after free in ServiceWorker. Reported by Google. - CVE-2026-7923: Out of bounds write in Skia. Reported by Google. - CVE-2026-7924: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-7925: Use after free in Chromoting. Reported by Google. - CVE-2026-7926: Use after free in PresentationAPI. Reported by anonymous - CVE-2026-7927: Type Confusion in Runtime. Reported by Google. - CVE-2026-7928: Use after free in WebRTC. Reported by Google. - CVE-2026-7929: Use after free in MediaRecording. Reported by Google. - CVE-2026-7930: Insufficient validation of untrusted input in Cookies. Reported by Satoki. - CVE-2026-7931: Insufficient validation of untrusted input in iOS. Reported by Qadhafy Muhammad Tera. - CVE-2026-7932: Insufficient policy enforcement in Downloads. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-7933: Out of bounds read in WebCodecs. Reported by heapracer (@heapracer). - CVE-2026-7934: Insufficient validation of untrusted input in Popup Blocker. Reported by Google. - CVE-2026-7935: Inappropriate implementation in Speech. Reported by Qadhafy Muhammad Tera. - CVE-2026-7936: Object lifecycle issue in V8. Reported by Christian Holler. - CVE-2026-7937: Insufficient policy enforcement in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-7938: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7939: Inappropriate implementation in SanitizerAPI. Reported by s3zer0. - CVE-2026-7940: Use after free in V8. Reported by sakana. - CVE-2026-7941: Insufficient validation of untrusted input in Mobile. Reported by Adithya Kotian. - CVE-2026-7942: Integer overflow in ANGLE. Reported by Google. - CVE-2026-7943: Insufficient validation of untrusted input in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache. Reported by Google. - CVE-2026-7945: Insufficient validation of untrusted input in COOP. Reported by Google. - CVE-2026-7946: Insufficient policy enforcement in WebUI. Reported by Google. - CVE-2026-7947: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-7948: Race in Chromoting. Reported by Google. - CVE-2026-7949: Out of bounds read in Skia. Reported by Google. - CVE-2026-7950: Out of bounds read and write in GFX. Reported by Google. - CVE-2026-7951: Out of bounds write in WebRTC. Reported by soft.connect.fr. - CVE-2026-7952: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-7953: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-7954: Race in Shared Storage. Reported by Google. - CVE-2026-7955: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7956: Use after free in Navigation. Reported by Google. - CVE-2026-7957: Out of bounds write in Media. Reported by Google. - CVE-2026-7958: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7959: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-7960: Race in Speech. Reported by Google. - CVE-2026-7961: Insufficient validation of untrusted input in Permissions Reported by Google. - CVE-2026-7962: Insufficient policy enforcement in DirectSockets. Reported by Google. - CVE-2026-7963: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7964: Insufficient validation of untrusted input in FileSystem. Reported by Google. - CVE-2026-7965: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-7966: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-7967: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-7968: Insufficient validation of untrusted input in CORS. Reported by Google. - CVE-2026-7969: Integer overflow in Network. Reported by Google. - CVE-2026-7970: Use after free in TopChrome. Reported by Google. - CVE-2026-7971: Inappropriate implementation in ORB. Reported by Google. - CVE-2026-7972: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7973: Integer overflow in Dawn. Reported by Google. - CVE-2026-7974: Use after free in Blink. Reported by Google. - CVE-2026-7975: Use after free in DevTools. Reported by Google. - CVE-2026-7976: Use after free in Views. Reported by Google. - CVE-2026-7977: Inappropriate implementation in Canvas. Reported by Google. - CVE-2026-7978: Inappropriate implementation in Companion. Reported by Google. - CVE-2026-7979: Inappropriate implementation in Media. Reported by Google - CVE-2026-7980: Use after free in WebAudio. Reported by Google. - CVE-2026-7981: Out of bounds read in Codecs. Reported by Google. - CVE-2026-7982: Uninitialized Use in WebCodecs. Reported by Google. - CVE-2026-7983: Out of bounds read in Dawn. Reported by Google. - CVE-2026-7984: Use after free in ReadingMode. Reported by Google. - CVE-2026-7985: Use after free in GPU. Reported by Google. - CVE-2026-7986: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-7987: Use after free in WebRTC. Reported by Google. - CVE-2026-7988: Type Confusion in WebRTC. Reported by Google. - CVE-2026-7989: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-7990: Insufficient validation of untrusted input in Updater. Reported by Google. - CVE-2026-7991: Use after free in UI. Reported by Google. - CVE-2026-7992: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-7993: Insufficient validation of untrusted input in Payments. Reported by Google. - CVE-2026-7994: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-7995: Out of bounds read in AdFilter. Reported by Google. - CVE-2026-7996: Insufficient validation of untrusted input in SSL. Reported by heesun. - CVE-2026-7997: Insufficient validation of untrusted input in Updater. Reported by ochkofficial. - CVE-2026-7998: Insufficient validation of untrusted input in Dialog. Reported by Tianyi Hu. - CVE-2026-7999: Inappropriate implementation in V8. Reported by Taisic Yun (@taisic) of Theori. - CVE-2026-8000: Insufficient validation of untrusted input in ChromeDriver. Reported by Ryan Jupp - HAAO. - CVE-2026-8001: Use after free in Printing. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8002: Use after free in Audio. Reported by Google. - CVE-2026-8003: Insufficient validation of untrusted input in TabGroups. Reported by Google. - CVE-2026-8004: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8005: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8006: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8007: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8008: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-8009: Inappropriate implementation in Cast. Reported by Google. - CVE-2026-8010: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8011: Insufficient policy enforcement in Search. Reported by Google. - CVE-2026-8012: Inappropriate implementation in MHTML. Reported by Google - CVE-2026-8013: Insufficient validation of untrusted input in FedCM. Reported by Google. - CVE-2026-8014: Inappropriate implementation in Preload. Reported by Google. - CVE-2026-8015: Inappropriate implementation in Media. Reported by Google - CVE-2026-8016: Use after free in WebRTC. Reported by Google. - CVE-2026-8017: Side-channel information leakage in Media. Reported by Google. - CVE-2026-8018: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8019: Insufficient policy enforcement in WebApp. Reported by Google. - CVE-2026-8020: Uninitialized Use in GPU. Reported by Google. - CVE-2026-8021: Script injection in UI. Reported by Google. - CVE-2026-8022: Inappropriate implementation in MHTML. Reported by Google * d/copyright: - drop gperf binary that upstream now includes. - update for dropping of "khronos" from opengl paths. * d/rules: - copy gperf binary from /usr/bin into build tree. - set webnn_use_litert=false. * d/clean: - update for harfbuzz-ng to harfbuzz rename. * d/patches: - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch: drop, merged upstream. - disable/lint.patch: refresh. - trixie/nodejs-set-intersection.patch: refresh for file rename. - ungoogled/disable-ai.patch: sync from u-c. - trixie/gn-inputs.patch, trixie/gn-inputs2.patch: add patches to revert gn "inputs" usage, which isn't supported by our older generate-ninja package. - llvm-22/ignore-for-ubsan.patch: add another bit to remove the same unsupported compiler flag. - llvm-19/iota.patch: add build fix for missing std::ranges::iota(). - upstream/turboshaft.patch: add build fix pulled from (v8) upstream for value_or() type ambiguity. - trixie/revert-v8-sanitize.patch: add patch to revert v8 gn-related changes that cause the build to fail w/ older gn. - llvm-19/raw-ref-map-find.patch: add patch to work around older clang-19 std::map::find() limitation. - rust-1.85/jxl-features.patch: refresh for new version [trixie, bookworm]. - rust-1.85/jxl-simd-avx512.patch: refresh for new version, and also drop large portions of this patch that add unsafe{} to macro calls (since I already added an unsafe block in the macro definition). And mark more functions as unsafe [trixie, bookworm]. - trixie/adler1.patch: refresh [trixie, bookworm]. - trixie/rust-is-multiple-of.patch: refresh & move to rust-1.85/ directory [trixie, bookworm]. - rust-1.85/file_as_c_str.patch: add patch to work around lack of std::panic::file_as_c_str() [trixie, bookworm]. - rust-1.85/mojo-features.patch: add patch to enable some newer rust features in mojom parser [trixie, bookworm]. - rust-1.85/zip8.patch: add patch to enable some newer rust features in zip [trixie, bookworm]. - bookworm/constexpr.patch: refresh for moved file [bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. - bookworm/eslint.patch: drop, no longer needed [bookworm]. - ungoogled/remove-navigation-source-param.patch: add patch from u-c to drop the "&source=chrome.ob" that shows up when you search for something via omnibox. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch refresh for upstream changes - third_party/skia-vsx-instructions.patch: refresh for upstream changes - fixes/fix-different-data-layouts.patch: refresh for upstream changes . [ Jianfeng Liu ] * d/patches/loongarch64: - 0004-loong64-sandbox-sandbox-linux-Update-syscall-helpers.patch: Refresh for upstream changes - 0024-disable-BROTLI_MODEL-macro-for-some-targets.patch: Drop, merged upstream . [ Daniel Richard G. ] * d/patches/llvm-19/clang19.patch: Also drop -Wlifetime-safety-permissive flag from v8 build, as clang-19 (and 20) doesn't recognize it. chromium (148.0.7778.96-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-7896: Integer overflow in Blink. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7897: Use after free in Mobile. Reported by Google. - CVE-2026-7898: Use after free in Chromoting. Reported by Google. - CVE-2026-7899: Out of bounds read and write in V8. Reported by Project WhatForLunch (@pjwhatforlunch). - CVE-2026-7900: Heap buffer overflow in ANGLE. Reported by Anonymous. - CVE-2026-7901: Use after free in ANGLE. Reported by Syn4pse (@ret2happy) - CVE-2026-7902: Out of bounds memory access in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-7903: Integer overflow in ANGLE. Reported by heesun. - CVE-2026-7904: Out of bounds read in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7905: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-7906: Use after free in SVG. Reported by Google. - CVE-2026-7907: Use after free in DOM. Reported by Google. - CVE-2026-7908: Use after free in Fullscreen. Reported by Google. - CVE-2026-7909: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7910: Use after free in Views. Reported by Google. - CVE-2026-7911: Use after free in Aura. Reported by Google. - CVE-2026-7912: Integer overflow in GPU. Reported by Google. - CVE-2026-7913: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-7914: Type Confusion in Accessibility. Reported by Google. - CVE-2026-7915: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-7916: Insufficient data validation in InterestGroups. Reported by Google. - CVE-2026-7917: Use after free in Fullscreen. Reported by Google. - CVE-2026-7918: Use after free in GPU. Reported by Google. - CVE-2026-7919: Use after free in Aura. Reported by Google. - CVE-2026-7920: Use after free in Skia. Reported by Google. - CVE-2026-7921: Use after free in Passwords. Reported by Google. - CVE-2026-7922: Use after free in ServiceWorker. Reported by Google. - CVE-2026-7923: Out of bounds write in Skia. Reported by Google. - CVE-2026-7924: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-7925: Use after free in Chromoting. Reported by Google. - CVE-2026-7926: Use after free in PresentationAPI. Reported by anonymous - CVE-2026-7927: Type Confusion in Runtime. Reported by Google. - CVE-2026-7928: Use after free in WebRTC. Reported by Google. - CVE-2026-7929: Use after free in MediaRecording. Reported by Google. - CVE-2026-7930: Insufficient validation of untrusted input in Cookies. Reported by Satoki. - CVE-2026-7931: Insufficient validation of untrusted input in iOS. Reported by Qadhafy Muhammad Tera. - CVE-2026-7932: Insufficient policy enforcement in Downloads. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-7933: Out of bounds read in WebCodecs. Reported by heapracer (@heapracer). - CVE-2026-7934: Insufficient validation of untrusted input in Popup Blocker. Reported by Google. - CVE-2026-7935: Inappropriate implementation in Speech. Reported by Qadhafy Muhammad Tera. - CVE-2026-7936: Object lifecycle issue in V8. Reported by Christian Holler. - CVE-2026-7937: Insufficient policy enforcement in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-7938: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7939: Inappropriate implementation in SanitizerAPI. Reported by s3zer0. - CVE-2026-7940: Use after free in V8. Reported by sakana. - CVE-2026-7941: Insufficient validation of untrusted input in Mobile. Reported by Adithya Kotian. - CVE-2026-7942: Integer overflow in ANGLE. Reported by Google. - CVE-2026-7943: Insufficient validation of untrusted input in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache. Reported by Google. - CVE-2026-7945: Insufficient validation of untrusted input in COOP. Reported by Google. - CVE-2026-7946: Insufficient policy enforcement in WebUI. Reported by Google. - CVE-2026-7947: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-7948: Race in Chromoting. Reported by Google. - CVE-2026-7949: Out of bounds read in Skia. Reported by Google. - CVE-2026-7950: Out of bounds read and write in GFX. Reported by Google. - CVE-2026-7951: Out of bounds write in WebRTC. Reported by soft.connect.fr. - CVE-2026-7952: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-7953: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-7954: Race in Shared Storage. Reported by Google. - CVE-2026-7955: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7956: Use after free in Navigation. Reported by Google. - CVE-2026-7957: Out of bounds write in Media. Reported by Google. - CVE-2026-7958: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7959: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-7960: Race in Speech. Reported by Google. - CVE-2026-7961: Insufficient validation of untrusted input in Permissions Reported by Google. - CVE-2026-7962: Insufficient policy enforcement in DirectSockets. Reported by Google. - CVE-2026-7963: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7964: Insufficient validation of untrusted input in FileSystem. Reported by Google. - CVE-2026-7965: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-7966: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-7967: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-7968: Insufficient validation of untrusted input in CORS. Reported by Google. - CVE-2026-7969: Integer overflow in Network. Reported by Google. - CVE-2026-7970: Use after free in TopChrome. Reported by Google. - CVE-2026-7971: Inappropriate implementation in ORB. Reported by Google. - CVE-2026-7972: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7973: Integer overflow in Dawn. Reported by Google. - CVE-2026-7974: Use after free in Blink. Reported by Google. - CVE-2026-7975: Use after free in DevTools. Reported by Google. - CVE-2026-7976: Use after free in Views. Reported by Google. - CVE-2026-7977: Inappropriate implementation in Canvas. Reported by Google. - CVE-2026-7978: Inappropriate implementation in Companion. Reported by Google. - CVE-2026-7979: Inappropriate implementation in Media. Reported by Google - CVE-2026-7980: Use after free in WebAudio. Reported by Google. - CVE-2026-7981: Out of bounds read in Codecs. Reported by Google. - CVE-2026-7982: Uninitialized Use in WebCodecs. Reported by Google. - CVE-2026-7983: Out of bounds read in Dawn. Reported by Google. - CVE-2026-7984: Use after free in ReadingMode. Reported by Google. - CVE-2026-7985: Use after free in GPU. Reported by Google. - CVE-2026-7986: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-7987: Use after free in WebRTC. Reported by Google. - CVE-2026-7988: Type Confusion in WebRTC. Reported by Google. - CVE-2026-7989: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-7990: Insufficient validation of untrusted input in Updater. Reported by Google. - CVE-2026-7991: Use after free in UI. Reported by Google. - CVE-2026-7992: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-7993: Insufficient validation of untrusted input in Payments. Reported by Google. - CVE-2026-7994: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-7995: Out of bounds read in AdFilter. Reported by Google. - CVE-2026-7996: Insufficient validation of untrusted input in SSL. Reported by heesun. - CVE-2026-7997: Insufficient validation of untrusted input in Updater. Reported by ochkofficial. - CVE-2026-7998: Insufficient validation of untrusted input in Dialog. Reported by Tianyi Hu. - CVE-2026-7999: Inappropriate implementation in V8. Reported by Taisic Yun (@taisic) of Theori. - CVE-2026-8000: Insufficient validation of untrusted input in ChromeDriver. Reported by Ryan Jupp - HAAO. - CVE-2026-8001: Use after free in Printing. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8002: Use after free in Audio. Reported by Google. - CVE-2026-8003: Insufficient validation of untrusted input in TabGroups. Reported by Google. - CVE-2026-8004: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8005: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8006: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8007: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8008: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-8009: Inappropriate implementation in Cast. Reported by Google. - CVE-2026-8010: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8011: Insufficient policy enforcement in Search. Reported by Google. - CVE-2026-8012: Inappropriate implementation in MHTML. Reported by Google - CVE-2026-8013: Insufficient validation of untrusted input in FedCM. Reported by Google. - CVE-2026-8014: Inappropriate implementation in Preload. Reported by Google. - CVE-2026-8015: Inappropriate implementation in Media. Reported by Google - CVE-2026-8016: Use after free in WebRTC. Reported by Google. - CVE-2026-8017: Side-channel information leakage in Media. Reported by Google. - CVE-2026-8018: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8019: Insufficient policy enforcement in WebApp. Reported by Google. - CVE-2026-8020: Uninitialized Use in GPU. Reported by Google. - CVE-2026-8021: Script injection in UI. Reported by Google. - CVE-2026-8022: Inappropriate implementation in MHTML. Reported by Google * d/copyright: - drop gperf binary that upstream now includes. - update for dropping of "khronos" from opengl paths. * d/rules: - copy gperf binary from /usr/bin into build tree. - set webnn_use_litert=false. * d/clean: - update for harfbuzz-ng to harfbuzz rename. * d/patches: - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch: drop, merged upstream. - disable/lint.patch: refresh. - trixie/nodejs-set-intersection.patch: refresh for file rename. - ungoogled/disable-ai.patch: sync from u-c. - trixie/gn-inputs.patch, trixie/gn-inputs2.patch: add patches to revert gn "inputs" usage, which isn't supported by our older generate-ninja package. - llvm-22/ignore-for-ubsan.patch: add another bit to remove the same unsupported compiler flag. - llvm-19/iota.patch: add build fix for missing std::ranges::iota(). - upstream/turboshaft.patch: add build fix pulled from (v8) upstream for value_or() type ambiguity. - trixie/revert-v8-sanitize.patch: add patch to revert v8 gn-related changes that cause the build to fail w/ older gn. - llvm-19/raw-ref-map-find.patch: add patch to work around older clang-19 std::map::find() limitation. - rust-1.85/jxl-features.patch: refresh for new version [trixie, bookworm]. - rust-1.85/jxl-simd-avx512.patch: refresh for new version, and also drop large portions of this patch that add unsafe{} to macro calls (since I already added an unsafe block in the macro definition). And mark more functions as unsafe [trixie, bookworm]. - trixie/adler1.patch: refresh [trixie, bookworm]. - trixie/rust-is-multiple-of.patch: refresh & move to rust-1.85/ directory [trixie, bookworm]. - rust-1.85/file_as_c_str.patch: add patch to work around lack of std::panic::file_as_c_str() [trixie, bookworm]. - rust-1.85/mojo-features.patch: add patch to enable some newer rust features in mojom parser [trixie, bookworm]. - rust-1.85/zip8.patch: add patch to enable some newer rust features in zip [trixie, bookworm]. - bookworm/constexpr.patch: refresh for moved file [bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. - bookworm/eslint.patch: drop, no longer needed [bookworm]. - ungoogled/remove-navigation-source-param.patch: add patch from u-c to drop the "&source=chrome.ob" that shows up when you search for something via omnibox. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch refresh for upstream changes - third_party/skia-vsx-instructions.patch: refresh for upstream changes - fixes/fix-different-data-layouts.patch: refresh for upstream changes . [ Jianfeng Liu ] * d/patches/loongarch64: - 0004-loong64-sandbox-sandbox-linux-Update-syscall-helpers.patch: Refresh for upstream changes - 0024-disable-BROTLI_MODEL-macro-for-some-targets.patch: Drop, merged upstream . [ Daniel Richard G. ] * d/patches/llvm-19/clang19.patch: Also drop -Wlifetime-safety-permissive flag from v8 build, as clang-19 (and 20) doesn't recognize it. chromium (148.0.7778.96-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2026-7896: Integer overflow in Blink. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7897: Use after free in Mobile. Reported by Google. - CVE-2026-7898: Use after free in Chromoting. Reported by Google. - CVE-2026-7899: Out of bounds read and write in V8. Reported by Project WhatForLunch (@pjwhatforlunch). - CVE-2026-7900: Heap buffer overflow in ANGLE. Reported by Anonymous. - CVE-2026-7901: Use after free in ANGLE. Reported by Syn4pse (@ret2happy) - CVE-2026-7902: Out of bounds memory access in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab. - CVE-2026-7903: Integer overflow in ANGLE. Reported by heesun. - CVE-2026-7904: Out of bounds read in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7905: Insufficient validation of untrusted input in Media. Reported by Google. - CVE-2026-7906: Use after free in SVG. Reported by Google. - CVE-2026-7907: Use after free in DOM. Reported by Google. - CVE-2026-7908: Use after free in Fullscreen. Reported by Google. - CVE-2026-7909: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7910: Use after free in Views. Reported by Google. - CVE-2026-7911: Use after free in Aura. Reported by Google. - CVE-2026-7912: Integer overflow in GPU. Reported by Google. - CVE-2026-7913: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-7914: Type Confusion in Accessibility. Reported by Google. - CVE-2026-7915: Insufficient data validation in DevTools. Reported by Google. - CVE-2026-7916: Insufficient data validation in InterestGroups. Reported by Google. - CVE-2026-7917: Use after free in Fullscreen. Reported by Google. - CVE-2026-7918: Use after free in GPU. Reported by Google. - CVE-2026-7919: Use after free in Aura. Reported by Google. - CVE-2026-7920: Use after free in Skia. Reported by Google. - CVE-2026-7921: Use after free in Passwords. Reported by Google. - CVE-2026-7922: Use after free in ServiceWorker. Reported by Google. - CVE-2026-7923: Out of bounds write in Skia. Reported by Google. - CVE-2026-7924: Uninitialized Use in Dawn. Reported by Google. - CVE-2026-7925: Use after free in Chromoting. Reported by Google. - CVE-2026-7926: Use after free in PresentationAPI. Reported by anonymous - CVE-2026-7927: Type Confusion in Runtime. Reported by Google. - CVE-2026-7928: Use after free in WebRTC. Reported by Google. - CVE-2026-7929: Use after free in MediaRecording. Reported by Google. - CVE-2026-7930: Insufficient validation of untrusted input in Cookies. Reported by Satoki. - CVE-2026-7931: Insufficient validation of untrusted input in iOS. Reported by Qadhafy Muhammad Tera. - CVE-2026-7932: Insufficient policy enforcement in Downloads. Reported by Povcfe of Tencent Security Xuanwu Lab. - CVE-2026-7933: Out of bounds read in WebCodecs. Reported by heapracer (@heapracer). - CVE-2026-7934: Insufficient validation of untrusted input in Popup Blocker. Reported by Google. - CVE-2026-7935: Inappropriate implementation in Speech. Reported by Qadhafy Muhammad Tera. - CVE-2026-7936: Object lifecycle issue in V8. Reported by Christian Holler. - CVE-2026-7937: Insufficient policy enforcement in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. - CVE-2026-7938: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7939: Inappropriate implementation in SanitizerAPI. Reported by s3zer0. - CVE-2026-7940: Use after free in V8. Reported by sakana. - CVE-2026-7941: Insufficient validation of untrusted input in Mobile. Reported by Adithya Kotian. - CVE-2026-7942: Integer overflow in ANGLE. Reported by Google. - CVE-2026-7943: Insufficient validation of untrusted input in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache. Reported by Google. - CVE-2026-7945: Insufficient validation of untrusted input in COOP. Reported by Google. - CVE-2026-7946: Insufficient policy enforcement in WebUI. Reported by Google. - CVE-2026-7947: Insufficient validation of untrusted input in Network. Reported by Google. - CVE-2026-7948: Race in Chromoting. Reported by Google. - CVE-2026-7949: Out of bounds read in Skia. Reported by Google. - CVE-2026-7950: Out of bounds read and write in GFX. Reported by Google. - CVE-2026-7951: Out of bounds write in WebRTC. Reported by soft.connect.fr. - CVE-2026-7952: Insufficient policy enforcement in Extensions. Reported by Google. - CVE-2026-7953: Insufficient validation of untrusted input in Omnibox. Reported by Google. - CVE-2026-7954: Race in Shared Storage. Reported by Google. - CVE-2026-7955: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7956: Use after free in Navigation. Reported by Google. - CVE-2026-7957: Out of bounds write in Media. Reported by Google. - CVE-2026-7958: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7959: Inappropriate implementation in Navigation. Reported by Google. - CVE-2026-7960: Race in Speech. Reported by Google. - CVE-2026-7961: Insufficient validation of untrusted input in Permissions Reported by Google. - CVE-2026-7962: Insufficient policy enforcement in DirectSockets. Reported by Google. - CVE-2026-7963: Inappropriate implementation in ServiceWorker. Reported by Google. - CVE-2026-7964: Insufficient validation of untrusted input in FileSystem. Reported by Google. - CVE-2026-7965: Insufficient validation of untrusted input in DevTools. Reported by Google. - CVE-2026-7966: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-7967: Insufficient validation of untrusted input in Navigation. Reported by Google. - CVE-2026-7968: Insufficient validation of untrusted input in CORS. Reported by Google. - CVE-2026-7969: Integer overflow in Network. Reported by Google. - CVE-2026-7970: Use after free in TopChrome. Reported by Google. - CVE-2026-7971: Inappropriate implementation in ORB. Reported by Google. - CVE-2026-7972: Uninitialized Use in GPU. Reported by Google. - CVE-2026-7973: Integer overflow in Dawn. Reported by Google. - CVE-2026-7974: Use after free in Blink. Reported by Google. - CVE-2026-7975: Use after free in DevTools. Reported by Google. - CVE-2026-7976: Use after free in Views. Reported by Google. - CVE-2026-7977: Inappropriate implementation in Canvas. Reported by Google. - CVE-2026-7978: Inappropriate implementation in Companion. Reported by Google. - CVE-2026-7979: Inappropriate implementation in Media. Reported by Google - CVE-2026-7980: Use after free in WebAudio. Reported by Google. - CVE-2026-7981: Out of bounds read in Codecs. Reported by Google. - CVE-2026-7982: Uninitialized Use in WebCodecs. Reported by Google. - CVE-2026-7983: Out of bounds read in Dawn. Reported by Google. - CVE-2026-7984: Use after free in ReadingMode. Reported by Google. - CVE-2026-7985: Use after free in GPU. Reported by Google. - CVE-2026-7986: Insufficient policy enforcement in Autofill. Reported by Google. - CVE-2026-7987: Use after free in WebRTC. Reported by Google. - CVE-2026-7988: Type Confusion in WebRTC. Reported by Google. - CVE-2026-7989: Insufficient data validation in DataTransfer. Reported by Google. - CVE-2026-7990: Insufficient validation of untrusted input in Updater. Reported by Google. - CVE-2026-7991: Use after free in UI. Reported by Google. - CVE-2026-7992: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-7993: Insufficient validation of untrusted input in Payments. Reported by Google. - CVE-2026-7994: Inappropriate implementation in Chromoting. Reported by Google. - CVE-2026-7995: Out of bounds read in AdFilter. Reported by Google. - CVE-2026-7996: Insufficient validation of untrusted input in SSL. Reported by heesun. - CVE-2026-7997: Insufficient validation of untrusted input in Updater. Reported by ochkofficial. - CVE-2026-7998: Insufficient validation of untrusted input in Dialog. Reported by Tianyi Hu. - CVE-2026-7999: Inappropriate implementation in V8. Reported by Taisic Yun (@taisic) of Theori. - CVE-2026-8000: Insufficient validation of untrusted input in ChromeDriver. Reported by Ryan Jupp - HAAO. - CVE-2026-8001: Use after free in Printing. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-8002: Use after free in Audio. Reported by Google. - CVE-2026-8003: Insufficient validation of untrusted input in TabGroups. Reported by Google. - CVE-2026-8004: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8005: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8006: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8007: Insufficient validation of untrusted input in Cast. Reported by Google. - CVE-2026-8008: Inappropriate implementation in DevTools. Reported by Google. - CVE-2026-8009: Inappropriate implementation in Cast. Reported by Google. - CVE-2026-8010: Insufficient validation of untrusted input in SiteIsolation. Reported by Google. - CVE-2026-8011: Insufficient policy enforcement in Search. Reported by Google. - CVE-2026-8012: Inappropriate implementation in MHTML. Reported by Google - CVE-2026-8013: Insufficient validation of untrusted input in FedCM. Reported by Google. - CVE-2026-8014: Inappropriate implementation in Preload. Reported by Google. - CVE-2026-8015: Inappropriate implementation in Media. Reported by Google - CVE-2026-8016: Use after free in WebRTC. Reported by Google. - CVE-2026-8017: Side-channel information leakage in Media. Reported by Google. - CVE-2026-8018: Insufficient policy enforcement in DevTools. Reported by Google. - CVE-2026-8019: Insufficient policy enforcement in WebApp. Reported by Google. - CVE-2026-8020: Uninitialized Use in GPU. Reported by Google. - CVE-2026-8021: Script injection in UI. Reported by Google. - CVE-2026-8022: Inappropriate implementation in MHTML. Reported by Google * d/copyright: - drop gperf binary that upstream now includes. - update for dropping of "khronos" from opengl paths. * d/rules: - copy gperf binary from /usr/bin into build tree. - set webnn_use_litert=false. * d/clean: - update for harfbuzz-ng to harfbuzz rename. * d/patches: - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch: drop, merged upstream. - disable/lint.patch: refresh. - trixie/nodejs-set-intersection.patch: refresh for file rename. - ungoogled/disable-ai.patch: sync from u-c. - trixie/gn-inputs.patch, trixie/gn-inputs2.patch: add patches to revert gn "inputs" usage, which isn't supported by our older generate-ninja package. - llvm-22/ignore-for-ubsan.patch: add another bit to remove the same unsupported compiler flag. - llvm-19/iota.patch: add build fix for missing std::ranges::iota(). - upstream/turboshaft.patch: add build fix pulled from (v8) upstream for value_or() type ambiguity. - trixie/revert-v8-sanitize.patch: add patch to revert v8 gn-related changes that cause the build to fail w/ older gn. - llvm-19/raw-ref-map-find.patch: add patch to work around older clang-19 std::map::find() limitation. - rust-1.85/jxl-features.patch: refresh for new version [trixie, bookworm]. - rust-1.85/jxl-simd-avx512.patch: refresh for new version, and also drop large portions of this patch that add unsafe{} to macro calls (since I already added an unsafe block in the macro definition). And mark more functions as unsafe [trixie, bookworm]. - trixie/adler1.patch: refresh [trixie, bookworm]. - trixie/rust-is-multiple-of.patch: refresh & move to rust-1.85/ directory [trixie, bookworm]. - rust-1.85/file_as_c_str.patch: add patch to work around lack of std::panic::file_as_c_str() [trixie, bookworm]. - rust-1.85/mojo-features.patch: add patch to enable some newer rust features in mojom parser [trixie, bookworm]. - rust-1.85/zip8.patch: add patch to enable some newer rust features in zip [trixie, bookworm]. - bookworm/constexpr.patch: refresh for moved file [bookworm]. - bookworm/dav1d-drop-hdr.patch: refresh [bookworm]. - bookworm/eslint.patch: drop, no longer needed [bookworm]. - ungoogled/remove-navigation-source-param.patch: add patch from u-c to drop the "&source=chrome.ob" that shows up when you search for something via omnibox. . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0002-regenerate-xnn-buildgn.patch refresh for upstream changes - third_party/skia-vsx-instructions.patch: refresh for upstream changes - fixes/fix-different-data-layouts.patch: refresh for upstream changes . [ Jianfeng Liu ] * d/patches/loongarch64: - 0004-loong64-sandbox-sandbox-linux-Update-syscall-helpers.patch: Refresh for upstream changes - 0024-disable-BROTLI_MODEL-macro-for-some-targets.patch: Drop, merged upstream . [ Daniel Richard G. ] * d/patches/llvm-19/clang19.patch: Also drop -Wlifetime-safety-permissive flag from v8 build, as clang-19 (and 20) doesn't recognize it. chromium (147.0.7727.137-1) unstable; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-7363: Use after free in Canvas. Reported by heapracer. - CVE-2026-7361: Use after free in iOS. Reported by Google. - CVE-2026-7344: Use after free in Accessibility. Reported by Google. - CVE-2026-7343: Use after free in Views. Reported by Google. - CVE-2026-7333: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7360: Insufficient validation of untrusted input in Compositing. Reported by Google. - CVE-2026-7359: Use after free in ANGLE. Reported by Google. - CVE-2026-7358: Use after free in Animation. Reported by Google. - CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ. - CVE-2026-7357: Use after free in GPU. Reported by Google. - CVE-2026-7356: Use after free in Navigation. Reported by Google. - CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google. - CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google. - CVE-2026-7352: Use after free in Media. Reported by Google. - CVE-2026-7351: Race in MHTML. Reported by Google. - CVE-2026-7350: Use after free in WebMIDI. Reported by Google. - CVE-2026-7349: Use after free in Cast. Reported by Google. - CVE-2026-7348: Use after free in Codecs. Reported by Google. - CVE-2026-7335: Use after free in media. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po). - CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla. - CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io. - CVE-2026-7347: Use after free in Chromoting. Reported by Google. - CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google. - CVE-2026-7345: Insufficient validation of untrusted input in Feedback. Reported by Google. - CVE-2026-7338: Use after free in Cast. Reported by Krace. - CVE-2026-7342: Use after free in WebView. Reported by Google. - CVE-2026-7341: Use after free in WebRTC. Reported by Google. - CVE-2026-7339: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792. - CVE-2026-7340: Integer overflow in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32. - CVE-2026-7355: Use after free in Media. Reported by Google. . [ Jianfeng Liu ] * d/patches: - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch: Fixes upstream issue https://crbug.com/501115509. This issue is introduced in v147, and unfortunately the fix won't get into v147. This issue affects both vaapi and v4l2 decoding under ozone wayland. - fixes/enable-widevine-on-arm64-linux-platform.patch: Enable widevine support on arm64. There is no official support for widevine on arm64 linux while there are libwidevine binaries extracted from chromeos, which can work on linux (closes: #1052440). chrony (4.6.1-3+deb13u2) trixie; urgency=medium . * debian/chrony.if-{post-down,up}: - Adjust the if-up and if-down hook scripts so that they always exit successfully. (Closes: #1011533) ckermit (416~beta12-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. . [ John Goerzen ] * CVE-2025-68920: Block remote control of the local kermit by default. Closes: #1123025 * Permanently disable OpenSSL version check. Closes: #1118629. composer (2.8.8-1+deb13u3) trixie; urgency=medium . * Fix regexp to support new GitHub installation tokens format (GHSA-f9f8-rm49-7jv2) [CVE-2026-45793] courier (1.4.1-3+deb13u2) trixie; urgency=medium . * Add debian/patches/adjust-webadmin-scripts.patch, thanks Jean Louis (closes: #1132026). curl (8.14.1-2+deb13u4) trixie; urgency=medium . * Import upstream patches for 13 CVE fixes: - CVE-2025-14524 - CVE-2025-14819 - CVE-2026-1965 - CVE-2026-3783 - CVE-2026-3784 - CVE-2026-3805 - CVE-2026-4873 - CVE-2026-5545 - CVE-2026-5773 - CVE-2026-6253 - CVE-2026-6276 - CVE-2026-6429 - CVE-2026-7168 * d/p/CVE-2025-10148.patch: drop format-patch artefacts * d/p/CVE-2025-13034.patch: refresh after gbp pq round-trip * d/p: refresh patch series after gbp pq round-trip cyborg (14.0.0-3+deb13u1) trixie-security; urgency=medium . * CVE-2026-40213: Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. CVE-2026-40214: The Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service. Applied upstream patches: - Use_common_checks.check_policy_json_from_oslo.upgradecheck.patch - Fix_cyborg-status_upgrade_check_tests.patch - Fix_rule-allow_policy_bypass_on_device_deployable_attribute_APIs.patch - Set_project_id_on_ARQ_creation_and_binding.patch - Refactor_session_handling_and_align_test_contexts.patch - Add_project_id_backfill_for_existing_ARQs.patch - Enforce_project-scoped_access_for_ARQs.patch - Require_service_token_for_bound_ARQ_operations.patch (Closes: #1136006). dcmtk (3.6.9-5+deb13u2) trixie; urgency=medium . * Team upload. * CVE-2026-12805.patch: new: fix CVE-2026-12805. This patch fixes a risk of buffer overflow by ensuring negative error codes in XMLNode::parseFile are properly handled, as well a NULL values. (Closes: #1140562) . dcmtk (3.6.9-5+deb13u1) trixie; urgency=medium . * Team upload * d/patches/*-CVE-2025-9732.patch: new. These changes pulled from dcmtk upstream address CVE-2025-9732. (Closes: #1113993) * 0015-CVE-2025-14607.patch: new: fix CVE-2025-14607. (Closes: #1122926) * 0016-CVE-2026-5663.patch: new: fix CVE-2026-5663. (Closes: #1133001) * 0017-CVE-2025-14841.patch: new: fix CVE-2025-14841. (Closes: #1123584) * 0018-CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181) dcmtk (3.6.9-5+deb13u1) trixie; urgency=medium . * Team upload * d/patches/*-CVE-2025-9732.patch: new. These changes pulled from dcmtk upstream address CVE-2025-9732. (Closes: #1113993) * 0015-CVE-2025-14607.patch: new: fix CVE-2025-14607. (Closes: #1122926) * 0016-CVE-2026-5663.patch: new: fix CVE-2026-5663. (Closes: #1133001) * 0017-CVE-2025-14841.patch: new: fix CVE-2025-14841. (Closes: #1123584) * 0018-CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181) debian-installer (20250803+deb13u6) trixie; urgency=medium . * Bump Linux kernel ABI to 6.12.94+deb13. * Adjust linux-image build-deps accordingly. debian-installer-netboot-images (20250803+deb13u6) trixie; urgency=medium . * Update to 20250803+deb13u6, from trixie-proposed-updates. debusine (0.11.3+deb13u1) trixie; urgency=medium . * Security update for stable: - Enforce permissions on the file body upload endpoint. - CVE-2026-11852: Restrict artifact relation creation and deletion. - Sbuild task: harden against shell injection. - CVE-2026-11853: Reject .dsc/.changes checksum filenames with multiple path components. deepdiff (8.1.1-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-58367: Class Pollution in Delta class * CVE-2026-33155: Memory Exhaustion DoS through SAFE_TO_IMPORT (Closes: #1131472) dhcpcd (1:10.1.0-11+deb13u3) trixie; urgency=medium . * [patches] (Closes: #1140767) + Cherry-pick upstream fix for CVE-2025-70102 (commit 117742d). + Cherry-pick upstream fix for CVE-2026-56113 (commit 5733d3c). + Cherry-pick upstream fix for CVE-2026-56114 (commit 2f00c7b). + Cherry-pick upstream fix for CVE-2026-56116 (commit 708b4a5). + Cherry-pick upstream fix for CVE-2026-56117 (commit 78ea09e). dnsdist (1.9.15-0+deb13u1) trixie-security; urgency=medium . * New upstream version 1.9.15, fixing security issues CVE-2026-40011, CVE-2026-42004, CVE-2026-42005, CVE-2026-40208, CVE-2026-40209, CVE-2026-40210, CVE-2026-40211 dolphin (4:25.04.3-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-41525: Sandbox escape dovecot (1:2.4.1+dfsg1-6+deb13u6) trixie-security; urgency=medium . * Security update (Closes: #1136444) * [76ceed4] CVE-2026-27851: lib-var-expand: Reset safe state when transfer is unset * [4af6fb3] CVE-2026-40016: lib-sieve: Enforce CPU time limit within :contains and :matches matcher loops * [366ef61] CVE-2026-33603: login-common: Only accept base64 in sasl * [26bd41e] CVE-2026-40020: IMAP folders can be shared-spammed to everyone. * [b6f5bac] CVE-2026-42006: imap-login: Excessive memory usage DoS errands (46.2.8-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-71063: TLS certificates for CalDAV servers were not verified (Closes: #1123738) evince (48.1-3+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * shell: quote strings in arguments used when calling ev_spawn (CVE-2026-46529) execnet (2.1.1-1+deb13u1) trixie; urgency=medium . * Team upload. * Mark several tests as flaky. Closes: #854494. exim4 (4.98.2-1+deb13u3) trixie-security; urgency=high . * Cherry-pick fix for EXIM-Security-2026-05-19.1 from 4.99.4. Security: PROXYv2 parser: reject PROXY frames whose declared payload length is too short for the claimed address family (12 bytes for TCPv4/0x11, 36 bytes for TCPv6/0x21). Previously a frame with family=0x21 and len=0 caused 16 bytes of uninitialized stack to be formatted as the sender's IPv6 address and disclosed in the SMTP greeting banner. Affects configurations with SUPPORT_PROXY and `hosts_proxy` set. Reported by Warisjeet Singh (sin99xx). fastnetmon (1.2.9-0+deb13u1) trixie-security; urgency=high . * New upstream release. - This release fixes various security issues: CVE-2026-48689, CVE-2026-48688, CVE-2026-48696, CVE-2026-48695, CVE-2026-48694, CVE-2026-48691, CVE-2026-48690, CVE-2026-48687, CVE-2026-48686, CVE-2026-48685, CVE-2026-48684 and CVE-2026-48683. Closes: #1138646 * Revert for trixie: Remove dh_movetousr sequence and manually set the systemd servicedir. fastnetmon (1.2.8+git20250911-2) unstable; urgency=medium . * Bump Standards-Version to 4.7.3 (Remove priority field). * Remove dh_movetousr sequence and manually set the systemd servicedir. Closes: #1122752 * Update years in debian/copyright. * Remove Rules-Requires-Root control field. * Update debian/watch to version 5. * Remove libboost-system-dev Build-Depends. Closes: #1127190 fastnetmon (1.2.8+git20250911-1) unstable; urgency=medium . * New upstream git snapshot. - Fixes build with mongo-c-driver 2.0. Closes: #1111777, #1110574, #1112881 - Remove merged patch 01-spelling-error. * Bump Standards-Version to 4.7.2. * Merge 1.2.4-2+deb12u1 changelog. * Fix old-fsf-address-in-copyright-file. ffmpeg (7:7.1.5-0+deb13u1) trixie-security; urgency=high . * New upstream version 7.1.5 - Fixes CVE-2026-8461 ffmpeg (7:7.1.4-0+deb13u1) trixie-security; urgency=medium . * New upstream version 7.1.4 * debian/libavfilter10.symbols.in: Add new symbol ffmpeg (7:7.1.3-1) unstable; urgency=medium . * New upstream version 7.1.3 * debian/patches: Unbreak build with glslang 16 (Closes: #1120579) firefox-esr (140.12.0esr-1~deb13u1) trixie-security; urgency=medium . * New upstream release. * Fixes for mfsa2026-58, also known as: CVE-2026-12289, CVE-2026-12290, CVE-2026-12291, CVE-2026-12292, CVE-2026-12294, CVE-2026-12295, CVE-2026-12298, CVE-2026-12296, CVE-2026-12297, CVE-2026-12299, CVE-2026-12329, CVE-2026-12302, CVE-2026-12304, CVE-2026-12305, CVE-2026-12306, CVE-2026-12307, CVE-2026-12308, CVE-2026-12309, CVE-2026-12310, CVE-2026-12311, CVE-2026-12312, CVE-2026-12313, CVE-2026-12314, CVE-2026-12315, CVE-2026-12330, CVE-2026-12324, CVE-2026-12325, CVE-2026-12327, CVE-2026-12328. firefox-esr (140.12.0esr-1~deb12u1) bookworm-security; urgency=medium . * New upstream release. * Fixes for mfsa2026-58, also known as: CVE-2026-12289, CVE-2026-12290, CVE-2026-12291, CVE-2026-12292, CVE-2026-12294, CVE-2026-12295, CVE-2026-12298, CVE-2026-12296, CVE-2026-12297, CVE-2026-12299, CVE-2026-12329, CVE-2026-12302, CVE-2026-12304, CVE-2026-12305, CVE-2026-12306, CVE-2026-12307, CVE-2026-12308, CVE-2026-12309, CVE-2026-12310, CVE-2026-12311, CVE-2026-12312, CVE-2026-12313, CVE-2026-12314, CVE-2026-12315, CVE-2026-12330, CVE-2026-12324, CVE-2026-12325, CVE-2026-12327, CVE-2026-12328. firefox-esr (140.11.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2026-48, also known as: CVE-2026-8946, CVE-2026-8388, CVE-2026-8947, CVE-2026-8391, CVE-2026-8401, CVE-2026-8950, CVE-2026-8953, CVE-2026-8954, CVE-2026-8955, CVE-2026-8956, CVE-2026-8957, CVE-2026-8958, CVE-2026-8961, CVE-2026-8962, CVE-2026-8968, CVE-2026-8970, CVE-2026-8974, CVE-2026-8975. firefox-esr (140.11.0esr-1~deb13u1) trixie-security; urgency=medium . * New upstream release. * Fixes for mfsa2026-48, also known as: CVE-2026-8946, CVE-2026-8388, CVE-2026-8947, CVE-2026-8391, CVE-2026-8401, CVE-2026-8950, CVE-2026-8953, CVE-2026-8954, CVE-2026-8955, CVE-2026-8956, CVE-2026-8957, CVE-2026-8958, CVE-2026-8961, CVE-2026-8962, CVE-2026-8968, CVE-2026-8970, CVE-2026-8974, CVE-2026-8975. firefox-esr (140.11.0esr-1~deb12u1) bookworm-security; urgency=medium . * New upstream release. * Fixes for mfsa2026-48, also known as: CVE-2026-8946, CVE-2026-8388, CVE-2026-8947, CVE-2026-8391, CVE-2026-8401, CVE-2026-8950, CVE-2026-8953, CVE-2026-8954, CVE-2026-8955, CVE-2026-8956, CVE-2026-8957, CVE-2026-8958, CVE-2026-8961, CVE-2026-8962, CVE-2026-8968, CVE-2026-8970, CVE-2026-8974, CVE-2026-8975. firefox-esr (140.10.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2026-41, also known as: CVE-2026-8090, CVE-2026-8094, CVE-2026-8092. fldigi (4.2.06-1+deb13u1) trixie; urgency=medium . * Team upload. * Force LC_NUMERIC=C.UTF-8 to use proper decimal separator in API and ADIF log files. (Closes: #1114613) freecad (1.0.0+dfsg-8+deb13u2) trixie; urgency=medium . * Maintaner approvided upload. * Backport patch 1040-fix-cmake-race.patch to fix FTBFS on arm64. freecad (1.0.0+dfsg-8+deb13u1) trixie; urgency=medium . * Maintaner approvided upload. * Get fanuc post processor working (Closes: #1117850). frr (10.3-3+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Backport upstream fixes for several BGP/OSPF parsing vulnerabilities: - CVE-2026-37457: off-by-one out-of-bounds write in the BGP FlowSpec operator decoder (bgp_flowspec_op_decode). - CVE-2026-28532: out-of-bounds read in OSPF TE/SR Opaque LSA TLV parsing caused by a truncated uint16_t length accumulator. - CVE-2026-5107: missing length validation when parsing EVPN Type-2/3/4 and ENCAP/VNC NLRIs. - CVE-2026-37458: missing martian next-hop validation in MP_REACH_NLRI. - CVE-2025-61099, CVE-2025-61100, CVE-2025-61101, CVE-2025-61102, CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106, CVE-2025-61107: NULL pointer dereference in ospfd when dumping Opaque LSAs while OSPF packet debugging is enabled. fwupd (2.0.20-1~deb13u1) stable-updates; urgency=medium . * Release to stable updates to enable updating UEFI CA. (Closes: #1138871) * Note: Fix deploying the thunderbolt controller on the X280 is now part of the upstream release and the patch is dropped. fwupd (2.0.20-1~deb12u2) bookworm; urgency=medium . * No change rebuild for source upload. fwupd (2.0.20-1~deb12u1) bookworm; urgency=medium . * Release to oldstable updates to enable updating UEFI CA. * d/control: Refresh b-d against bookworm * d/rules: disable modem manager * d/patches: Add patches to allow building on bookworm fwupd (2.0.20-1~bpo13+1) trixie-backports; urgency=medium . * Backport to trixie * Disable passim support fwupd (2.0.19-1) unstable; urgency=medium . * New upstream version (2.0.19) fwupd (2.0.18-1) unstable; urgency=medium . * New upstream version (2.0.18) * Drop upstream patches fwupd (2.0.17-6) unstable; urgency=medium . * Backport a patch to fix x86 32 bit installed tests fwupd (2.0.17-5) unstable; urgency=medium . * d/tests/control: depends on fwupd-tests instead of fwupd fwupd (2.0.17-4) unstable; urgency=medium . * d/t/control: Explicitly add fwupd to depends fwupd (2.0.17-3) unstable; urgency=medium . * d/t/control: Add missing depends for autopkgtest fwupd (2.0.17-2) unstable; urgency=medium . * Backport a fix for installed tests failures with mtdram fwupd (2.0.17-1) unstable; urgency=medium . * New upstream version (2.0.17) fwupd (2.0.16-4) unstable; urgency=medium . * Enable passim support in Debian (disabled in Ubuntu right now). fwupd (2.0.16-3) unstable; urgency=medium . * d/rules: Explicitly set efi_os_dir (Closes: #1105176) (Closes: #1112464) * d/control: Drop b-d on python3-typogrify (Closes: #1105777) * Changes for build-dependency on libgirepository1.0-dev (Closes: #1118817) * Backport a patch to fix a segfault with flashrom (Closes: #1118449) fwupd (2.0.16-2) unstable; urgency=medium . * Backport a patch from upstream to drop python3-toml b-d * d/copyright, d/control: refresh against dependencies.xml (Closes: #1110022) fwupd (2.0.16-1) unstable; urgency=medium . * New upstream version (2.0.16) fwupd (2.0.15-1) unstable; urgency=medium . * New upstream version (2.0.15) fwupd (2.0.14-1) unstable; urgency=medium . * New upstream version (2.0.14) fwupd (2.0.13-2) unstable; urgency=medium . * Upload to unstable fwupd (2.0.13-1) experimental; urgency=medium . * New upstream version. fwupd (2.0.12-1) experimental; urgency=medium . * New upstream version. fwupd (2.0.10-1) experimental; urgency=medium . * New upstream version. * d/control: Update my email fwupd (2.0.9-1) experimental; urgency=medium . * New upstream version (2.0.9) - Drop all upstream patches. gambas3 (3.20.2-1+deb13u1) trixie; urgency=medium . * Team upload * Fix qt6 component trying to load non-existing qt5 dependency (Closes: #1136260) gdown (5.2.0+dfsg-2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-40491: Arbitrary File Write via Path Traversal geoip (1.6.12-11.2~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . geoip (1.6.12-11.2) unstable; urgency=medium . * Non-maintainer upload. * Restore the generator scripts for geoip-database. geoip-database (20250401+really20191224-0+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Revert to the last version before the license change. (Closes: #1134158) * Build depend on geoip with support for the old version restored. giflib (5.2.2-1+deb13u1) trixie; urgency=medium . * CVE-2026-23868 (Closes: #1130495) * CVE-2026-26740 (Closes: #1131368) gimp (3.0.4-3+deb13u9) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-4154: XPM parsing integer overflow * CVE-2026-40915: FITS parsing integer overflow gnustep-sqlclient (1.9.0-6+deb13u1) trixie; urgency=medium . * debian/control (libsqlclient-dev): Remove "Multi-Arch: same" field to avoid file conflicts (Closes: #1133733). gnutls28 (3.8.9-3+deb13u4) trixie-security; urgency=high . * Add 3.8.13 patchset from CentOS 10 security release. Fixes CVE-2026-33846 CVE-2026-42009 CVE-2026-33845 CVE-2026-42010 CVE-2026-3833 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-5260 CVE-2026-42015 CVE-2026-3832 CVE-2026-5419 and also adds a couple of fixes for issues without CVEs assigned. (For Debian base64-encode a testfile, quilt does not support git binary patches.) Closes: #1135319 * Drop patches irrelevant for 3.8.9 from the CentOS patchset. The PKCS#11 [provider] feature was only added in 3.8.10. * Cherry-pick another patch to add a mising declaration. graphite2 (1.3.14-2+deb13u1) trixie; urgency=medium . * debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch: fix CVE-2026-50593 gsasl (2.2.2-1.1+deb13u2) trixie-security; urgency=medium . * NTLM client: Avoid use-of-unitialized-value inside libntlm gsasl (2.2.2-1.1+deb13u1) trixie-security; urgency=medium . * Fix NULL pointer dereference in DIGEST-MD5 parser gst-libav1.0 (1.26.2-1+deb13u1) trixie-security; urgency=medium . * CVE-2026-52717 gst-plugins-bad1.0 (1.26.2-3+deb13u2) trixie-security; urgency=medium . * CVE-2026-52718 * CVE-2026-52719 * CVE-2026-53701 gst-plugins-good1.0 (1.26.2-1+deb13u2) trixie-security; urgency=medium . * CVE-2026-39043 * CVE-2026-39044 * CVE-2026-1940 * CVE-2026-3083 * CVE-2026-3085 gst-plugins-good1.0 (1.26.2-1+deb13u1) trixie-security; urgency=medium . * CVE-2026-5056 * CVE-2026-46469 * CVE-2026-46470 haproxy (3.0.11-1+deb13u3) trixie-security; urgency=high . [ Salvatore Bonaccorso ] * BUG/MAJOR: h3: check body size with content-length on empty FIN (CVE-2026-33555) . [ Vincent Bernat ] * BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well * BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization * BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size * BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in h2c_dec_hdrs() * BUG/MAJOR: slz: always make sure to limit fixed output to less than worst case literals * BUG/MAJOR: http: forbid comma character in authority value * BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing haveged (1.9.19-12+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix privilege escalation via command socket (CVE-2026-41054) (Closes: #1137096) * Check peer credentials before reading command (CVE-2026-41054) horizon (3:25.3.0-3+deb13u1) trixie; urgency=medium . * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). imagemagick (8:7.1.1.43+dfsg1-1+deb13u10) trixie-security; urgency=high . * Fix CVE-2026-48724: When using an image with mask the Floyd-Steinberg dithering method it will cause a negative heap buffer over-write * Fix CVE-2026-48734: A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check * Fix CVE-2026-48994: A missing check of a return value could lead to a heap buffer over-write in the MAT decoder on 32-bit systems. * Fix CVE-2026-49218: A missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. * Fix CVE-2026-49219: An incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink * Backport policy from 7.1.2.25 * Fix CVE-2026-53460: A missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. * Fix CVE-2026-53461: An incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. * Fix CVE-2026-53463: When passing incorrect arguments in the distort operation a null pointer deference will occur. * Fix CVE-2026-53464: When providing invalid options to the wand option parser a small memory leak will occur. * Harden debian policy in case of custom recompilation (Closes: #1140176) imagemagick (8:7.1.1.43+dfsg1-1+deb13u9) trixie-security; urgency=high . * Fix CVE-2026-33901 regression: Previous fix breaks rendering of some MVG files. * Fix CVE-2026-42050: A malicious MIFF file could trigger an overflow when a user opens it in the he display tool and right-clicks a tile to invoke the Load/Update menu item. * Fix CVE-2026-42326: Heap Buffer Over-Read in IPTC encoder * Fix CVE-2026-45031: Policy Bypass in PSD decoder. Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. * Fix CVE-2026-45358: Heap Buffer Over-Read of a single byte in meta encoder. An of by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder. * Fix CVE-2026-45359: Heap Buffer Over-Read in connected components when the user supplies an invalid keep-top define. An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. * Fix CVE-2026-45624: Heap Buffer Over-Read of 24 bytes in distort operation. When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. * Fix CVE-2026-45664: Policy Bypass in MNG decoder Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. * Fix CVE-2026-46520: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions When reading multiple images with different dimensions an out of bounds heap write can occur. * Fix CVE-2026-46521: Heap Buffer Over-Write in MIFF encoder when using LZMA compression. When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check * Fix CVE-2026-46522: Infinite Loop in the MIFF decoder can lead to CPU exhaustion. Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion. * Fix CVE-2026-46523: Use-After-Free in MSL decoder. A crafted MSL image can trigger a heap-use-after-free. * Fix CVE-2026-46557: Stack overflow in fx operation. Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. * Fix CVE-2026-46559: Heap Buffer Over-Write of a single byte in the JP2 encoder. An incorrect check in the JP2 will result in an heap buffer over write of a single byte when specifying certain options. * Fix CVE-2026-46692: Heap Buffer Over-Write in distributed pixel cache server An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. * Fix CVE-2026-46693: Race Condition in distributed pixel cache server can result in file descriptor hijacking An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. * Fix CVE-2026-47165: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model. The distributed pixel cache was originally designed to operate without a challenge–response authentication model. However, given today’s heightened security expectations, we have changed our implementation. * Fix CVE-2026-47166: Heap Buffer Over-Read in distributed pixel cache server. An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. incus (6.0.4-2+deb13u8) trixie-security; urgency=high . * Cherry-pick fixes for the following security issues: - CVE-2026-48749 / GHSA-2q3f-q5pq-g8wv - CVE-2026-48750 / GHSA-73hr-m85f-64v9 - CVE-2026-48751 / GHSA-48q5-w887-33wv - CVE-2026-48752 / GHSA-vxp5-584q-c479 - CVE-2026-48755 / GHSA-v6mj-8pf4-hhw4 - CVE-2026-48756 / GHSA-xhqx-mgh3-3h7q - CVE-2026-48769 / GHSA-f6m5-xw2g-xc4x - CVE-2026-55621 / GHSA-64f3-v33m-w89f - CVE-2026-55622 / GHSA-c9f5-j9c3-mhrg ironic (1:29.0.5-0+deb13u2) trixie-security; urgency=medium . * CVE-2026-44917: Ironic does not validate the location of node.driver_info[pxe_template], allowing a user who can set it to expose arbitrary files on an internal Ironic network, such as the servicing, provisioning, or cleaning networks. Applied upstream patch: - CVE-2026-44917_disable-driver_info-level-pxe_template-override.patch * CVE-2026-46447: A user with access to add or modify node.driver_info or node.instance_info can create a crafted value to enable iPXE script execution during the boot process. Applied upstream patch: - CVE-2026-46447_Sanitize-kernel_append_parms.patch * CVE-2026-48681: A maliciously crafted ISO image can cause Ironic to perform path traversal and overwrite files on a conductor's disk. Applied upstream patch: - CVE-2026-48681-directory_transversal_ISO9660_support.patch (Closes: #1138842) ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium . * New upstream release. Include fix for: - CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac Configuration molds Feature (Closes: #1135898). - CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). * CVE-2026-44916: instance_info['ks_template'] is rendered without sandboxing. An attacker with sufficient access, an ironic deployment with the anaconda deploy interface, a node with the anaconda deployment interface set by an admin, and a malicious template could result in conductor internal data being rendered and if the infrastucture operator is allowing traffic egress for the provisioning network, could have sensitive internal data exfiled out of the environment. Applied upstream patch: - CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch (Closes: #1136005). * CVE-2026-44919: during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. Add upstream patch: move_file_url_validation_up_into_deploy_utils_main_path.patch. (Closes: #1136655). isc-kea (2.6.3-1+deb13u1) trixie; urgency=medium . * CVE-2026-3608 isenkram (0.69+deb13u1) trixie; urgency=medium . * Adjusted update-fw-list to handle / -> /usr migration (Closes: #1133426). * Updated generated firmware lists. jackson-core (2.14.1-2~deb13u1) trixie-security; urgency=medium . * Team upload. * Backport 2.14.1 to trixie. * Fix CVE-2025-52999 and CVE-2025-49128. jackson-core (2.14.1-2~deb12u1) bookworm-security; urgency=medium . * Team upload. * Backport 2.14.1 to bookworm. * Fix CVE-2025-52999 and CVE-2025-49128. jackson-databind (2.14.0+ds-1+deb13u1) trixie-security; urgency=medium . [ Otto Kekäläinen ] * Enable Salsa CI to help avoid testable regressions before upload to Debian * Fix broken Homepage link and add current upstream metadata. The site wiki.fasterxml.com no longer exists. Replace it with link to the current wiki location. Also add a metadata file following DEP-12, so it is easier for both maintainers to find the correct upstream websites, as well as for `git-buildpackage --add-upstreamvcs` feature to work. * Define Debian packaging repository conventions in gbp.conf. Add a git-buildpackage config file to show explicitly what conventions this Debian source package repository uses. This way it is easier for current maintainer to do e.g. new upstream version imports, as there are less arguments that need to be passed to `gbp` commands, and also for any future maintainer/contributor there is less guesswork. . [ Markus Koschany ] * Add CVE-2025-52999.patch and fix a FBTFS due to changes in jackson-core. (Closes: #1135410) jackson-dataformat-smile (2.7.8-5+deb13u1) trixie-security; urgency=medium . * Team upload. * Fix FTBFS with jackson-core and restore the compatibility. jackson-dataformat-smile (2.7.8-5+deb12u1) bookworm-security; urgency=medium . * Team upload. * Fix FTBFS with jackson-core and restore the compatibility. jpeg-xl (0.11.2-0.1~deb13u2) trixie-security; urgency=medium . * CVE-2025-70103 (Closes: #1138575) kdenlive (24.12.3-2+deb13u1) trixie-security; urgency=high . * Add patch 02-CVE-2026-45184: Dangerous proxy parameters, when an attacker-controlled project file is used. Closes: #1136172 keystone (2:27.0.0-3+deb13u4) trixie-security; urgency=medium . * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). keystone (2:27.0.0-3+deb13u3) trixie; urgency=medium . * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Applied upstream patch: - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch (Closes: #1133884). * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 credential creation and deletion" (Closes: #1133118). kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium . * Add patches to fix CVE-2026-33642 and CVE-2026-33633 Closes: #1137210 krb5 (1.21.3-5+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) (Closes: #1135317) libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium . * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503) libass (1:0.17.3-1+deb13u1) trixie; urgency=medium . [ Oneric ] * Backport security fixes from 0.15.5 to 0.17.3 - Out-of-bounds read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm) libbytes-random-secure-perl (0.29-4~deb13u1) trixie; urgency=medium . * Rebuild for trixie . libbytes-random-secure-perl (0.29-4) unstable; urgency=medium . * Team upload. * Fix incorrect usage of seed in PRNG (CVE-2026-11625) libbytes-random-secure-perl (0.29-4~deb13u1~deb12u1) bookworm; urgency=medium . * Rebuild for bookworm . libbytes-random-secure-perl (0.29-4~deb13u1) trixie; urgency=medium . * Rebuild for trixie . libbytes-random-secure-perl (0.29-4) unstable; urgency=medium . * Team upload. * Fix incorrect usage of seed in PRNG (CVE-2026-11625) libcaca (0.99.beta20-5+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Prevent undefined behaviour in overflow check (CVE-2026-42046) (Closes: #1136952) libconfig-inifiles-perl (3.000003-3+deb13u1) trixie-security; urgency=high . * Team upload. * Add fix for CVE-2026-11527 (uses 2-arg open() in _make_filehandle) libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium . * Rebuild for trixie * Revert "Annotate test-only build dependencies with ." * Revert "Remove «Priority: optional», which is the current default." * Revert "Declare compliance with Debian Policy 4.7.4." . libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium . * Team upload. * Import upstream version 0.261630. - Change the default hash algorithm to HMAC-SHA256, and increase the default number of iterations to 600,000 (CVE-2026-9641). - Generate salts using Crypt::URandom instead of perl's builtin `rand()` (CVE-2026-9638). - Use a constant-time comparison in `validate` to avoid timing attacks (CVE-2017-20240). Closes: #1139867 * Update debian/upstream/metadata. * Update years of upstream copyright. * debian/control: update build/test/runtime dependencies. * Declare compliance with Debian Policy 4.7.4. * Remove «Priority: optional», which is the current default. * Annotate test-only build dependencies with . libcrypt-pbkdf2-perl (0.261630-1~deb13u1~deb12u1) bookworm; urgency=medium . * Rebuild for bookworm . libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium . * Rebuild for trixie * Revert "Annotate test-only build dependencies with ." * Revert "Remove «Priority: optional», which is the current default." * Revert "Declare compliance with Debian Policy 4.7.4." . libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium . * Team upload. * Import upstream version 0.261630. - Change the default hash algorithm to HMAC-SHA256, and increase the default number of iterations to 600,000 (CVE-2026-9641). - Generate salts using Crypt::URandom instead of perl's builtin `rand()` (CVE-2026-9638). - Use a constant-time comparison in `validate` to avoid timing attacks (CVE-2017-20240). Closes: #1139867 * Update debian/upstream/metadata. * Update years of upstream copyright. * debian/control: update build/test/runtime dependencies. * Declare compliance with Debian Policy 4.7.4. * Remove «Priority: optional», which is the current default. * Annotate test-only build dependencies with . libcrypt-urandom-perl (0.54-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom() libdbi-perl (1.647-1+deb13u1) trixie-security; urgency=high . * Team upload. * Fix possible stack overflow (CVE-2026-9698) * Replacing `?` with `:p#` in `preparse ()` with more than 9 `?` causes buffer overflow (CVE-2026-10879) libgcrypt20 (1.11.0-7+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * cipher:ecc: Fix decoding a point on Montgomery curve. (CVE-2026-41989) libgd-perl (2.78-1+deb13u1) trixie-security; urgency=high . * Team upload. * Fix CVE-2026-11526: command injection via 2-arg open() in _make_filehandle libhtml-parser-perl (3.83-2~deb13u1) trixie; urgency=medium . * Rebuild for trixie . libhtml-parser-perl (3.83-2) unstable; urgency=medium . * Fix heap-use-after-free in _decode_entities (CVE-2026-8829) libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high . * Team upload. * Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic (Closes: #1138050) * Add regression test for send_file() shell-magic refusal libhttp-daemon-perl (6.16-1+deb13u1~deb12u1) bookworm-security; urgency=high . * Team upload. * Rebuild for bookworm-security . libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high . * Team upload. * Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic (Closes: #1138050) * Add regression test for send_file() shell-magic refusal libinput (1.28.1-1+deb13u1) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * util: don't call function in macro argument * util: sanitize control characters in str_sanitize() * libinput-device-group: sanitize phys before printing it (CVE-2026-50292) libnet-cidr-lite-perl (0.22-3~deb13u2) trixie; urgency=medium . * Team upload. * CVE-2026-45190: Reject Unicode digits and trailing newlines in parsers * CVE-2026-45190: Add tests * CVE-2026-45191: Reject zero-padded CIDR masks * CVE-2026-45191: Add tests librabbitmq (0.15.0-1+deb13u1) trixie-security; urgency=medium . * [b57bf8d] d/patches/CVE-2026-44235.patch: added from upstream. Fix out-of-bounds read via undersized frames in amqp_handle_input (GHSA-9mmv-r8g3-qp46, CVE-2026-44235) * [890d6c5] d/patches/CVE-2026-44236.patch: added from upstream. Fix client crash when server negotiates frame_max below the AMQP protocol minimum (GHSA-jh48-qjf5-fx5v, CVE-2026-44236) libreoffice (4:25.2.3-2+deb13u6) trixie; urgency=medium . * debian/patches/check-for-hb_shape_full-failure.diff: add patch from libreoffice-26-2 branch to gracefully handle hb_shape_full failure, as can happen after the fix for CVE-2026-50593 in graphite2 libreoffice (4:25.2.3-2+deb13u5) trixie-security; urgency=medium . * debian/patches/CVE-2026-*.diff: fix - CVE-2026-6039 DXF heap-buffer-overflow in DrawLWPolyLineEntity - CVE-2026-6040 ODT use-after-free in lcl_InsertBlankWidthChars - CVE-2026-6045 EMF+ Heap-buffer-overflow in EMFPBrush::Read - CVE-2026-8356 ANT-2026-01882: Stack Buffer Overflow in `SdrEscherImport::RecolorGraphic()` - CVE-2026-8357 ANT-2026-03093: Off-by-one heap-buffer-overflow in LibreOffice Calc formula compiler - CVE-2026-8358 ANT-2026-03238: Heap-buffer-overflow in LibreOffice Calc FODS tracked-changes importer via duplicate action ID libreoffice (4:25.2.3-2+deb13u5~bpo12+1) bookworm-backports; urgency=medium . * rebuild for bookworm-backports . * revert t64 rename for bookworm-backports . * debian/source/include-binaries, tarballs/*: include tarballs/frozen-1.2.0.tar.gz tarballs/mdds-2.1.1.tar.xz tarballs/liborcus-0.19.2.tar.xz tarballs/libcmis-0.6.2.tar.xz . libreoffice (4:25.2.3-2+deb13u5) trixie-security; urgency=medium . * debian/patches/CVE-2026-*.diff: fix - CVE-2026-6039 DXF heap-buffer-overflow in DrawLWPolyLineEntity - CVE-2026-6040 ODT use-after-free in lcl_InsertBlankWidthChars - CVE-2026-6045 EMF+ Heap-buffer-overflow in EMFPBrush::Read - CVE-2026-8356 ANT-2026-01882: Stack Buffer Overflow in `SdrEscherImport::RecolorGraphic()` - CVE-2026-8357 ANT-2026-03093: Off-by-one heap-buffer-overflow in LibreOffice Calc formula compiler - CVE-2026-8358 ANT-2026-03238: Heap-buffer-overflow in LibreOffice Calc FODS tracked-changes importer via duplicate action ID . libreoffice (4:25.2.3-2+deb13u4) trixie-security; urgency=medium . * debian/patches/Conform-AlignEngine-parsing-to-spec.diff: as name says; from libreoffice-26-2 branch; fixes CVE-2026-4430 libslirp (4.8.0-1+deb13u1) trixie; urgency=medium . * d/gbp.conf: switch to debian/trixie branch * oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch patch from upstream to fix CVE-2026-9539 (oob heap read and integer underflow allowing reading sensitive host-process memory) libssh2 (1.11.1-1+deb13u1) trixie-security; urgency=medium . * CVE-2026-7598 (Closes: #1135647) * CVE-2025-15661 / CVE-2026-55199 / CVE-2026-55200 (Closes: #1140401) libtasn1-6 (4.20.0-2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-13151: Stack-based buffer overflow in asn1_expand_octet_string() (Closes: #1125063) libvncserver (0.9.15+dfsg-1+deb13u2) trixie; urgency=medium . * Team upload. * debian/patches: + CVE-2026-44988: Add 0003_CVE-2026-44988.patch fixing Tight gradient decoding overflow (Closes: #1138174). + CVE-2026-50538: Add 0004_CVE-2026-50538.patch fixing attacker-controlled heap out-of-bounds write (Closes: #1138253). libxml-libxml-perl (2.0207+dfsg+really+2.0134-5+deb13u1) trixie; urgency=medium . * Team upload. * fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read (CVE-2026-8177) (Closes: #1136300) libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. libxpm (1:3.5.17-1+deb13u1) trixie; urgency=medium . * CVE-2026-4367 (Closes: #1134690) linux (6.12.94-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.91 - io_uring/kbuf: use mem_is_zero() - blk-cgroup: wait for blkcg cleanup before initializing new disk - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START - fs/mbcache: cancel shrink work before destroying the cache - md/raid1: fix the comparing region of interval tree - drbd: Balance RCU calls in drbd_adm_dump_devices() - loop: fix partition scan race between udev and loop_reread_partitions() - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() - pstore/ram: fix resource leak when ioremap() fails - md: wake raid456 reshape waiters before suspend - btrfs: pass struct btrfs_inode to clone_copy_inline_extent() - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit - [amd64] ACPI: x86: cmos_rtc: Clean up address space handler driver - [amd64] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver - devres: fix missing node debug info in devm_krealloc() - thermal/drivers/spear: Fix error condition for reading st,thermal-flags - debugfs: check for NULL pointer in debugfs_create_str() - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() - soundwire: debugfs: initialize firmware_file to empty string - PCI: use generic driver_override infrastructure - platform/wmi: use generic driver_override infrastructure - [s390x] cio: use generic driver_override infrastructure - bus: fsl-mc: use generic driver_override infrastructure - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter - hrtimers: Update the return type of enqueue_hrtimer() - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() - hrtimer: Reduce trace noise in hrtimer_start() - locking: Fix rwlock support in - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet - bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n - [s390x] bpf: Zero-extend bpf prog return values and kfunc arguments - params: Replace __modinit with __init_or_module - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control - wifi: mt76: mt7615: fix use_cts_prot support - wifi: mt76: mt7915: fix use_cts_prot support - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() - wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor - wifi: mt76: mt7921: Place upper limit on station AID - [arm64] cpufeature: Make PMUVer and PerfMon unsigned - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() - wifi: mt76: mt7921: fix 6GHz regulatory update on connection - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path - bpf: Fix variable length stack write over spilled pointers - bpf,arc_jit: Fix missing newline in pr_err messages - wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() - r8152: fix incorrect register write to USB_UPHY_XTAL - [powerpc*] crash: fix backup region offset update to elfcorehdr - [powerpc*] crash: Update backup region offset in elfcorehdr on memory hotplug - macvlan: annotate data-races around port->bc_queue_len_used - bpf: fix end-of-list detection in cgroup_storage_get_next_key() - bpf: Fix stale offload->prog pointer after constant blinding - wifi: brcmfmac: Fix error pointer dereference - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() - wifi: ath10k: fix station lookup failure during disconnect - ACPI: AGDI: fix missing newline in error message - [arm64] kexec: Remove duplicate allocation for trans_pgd - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb - net: bcmgenet: add bcmgenet_has_* helpers - net: bcmgenet: move DESC_INDEX flow to ring 0 - net: bcmgenet: support reclaiming unsent Tx packets - net: bcmgenet: switch to use 64bit statistics - net: bcmgenet: fix racing timeout handler - eth: fbnic: Use wake instead of start - netfilter: xt_socket: enable defrag after all other checks - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - bpf: fix mm lifecycle in open-coded task_vma iterator - bpf: switch task_vma iterator from mmap_lock to per-VMA locks - bpf: return VMA snapshot from task_vma iterator - bpf: Fix RCU stall in bpf_fd_array_map_clear() - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf - bpf: Relax scalar id equivalence for state pruning - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars - net/sched: act_ct: Only release RCU read lock after ct_ft - net: airoha: Implement BQL support - net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() - bpf: Allow instructions with arena source and non-arena dest registers - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace - bpf: Fix OOB in pcpu_init_value - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 - net: phy: fix a return path in get_phy_c45_ids() - net/mlx5e: Fix features not applied during netdev registration - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec - net: phy: qcom: at803x: Use the correct bit to disable extended next page - ipv4: udp: fix typos in comments - ipv6: udp: fix typos in comments - udp: Force compute_score to always inline - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init(). - sctp: fix missing encap_port propagation for GSO fragments - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master - drm/komeda: fix integer overflow in AFBC framebuffer size check - ASoC: SOF: ipc3: Use standard dev_dbg API - ASoC: add symmetric_ prefix for dai->rate/channels/sample_bits - ASoC: soc-compress: use function to clear symmetric params - drm/sun4i: backend: fix error pointer dereference - ASoC: sti: Return errors from regmap_field_alloc() - ASoC: sti: use managed regmap_field allocations - dm cache: fix null-deref with concurrent writes in passthrough mode - dm cache: fix write path cache coherency in passthrough mode - dm cache: fix write hang in passthrough mode - dm cache policy smq: fix missing locks in invalidating cache blocks - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching - platform/chrome: chromeos_tbmc: Drop wakeup source on remove - PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs encoding - PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() - PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() - dm cache metadata: fix memory leak on metadata abort retry - dm log: fix out-of-bounds write due to region_count overflow - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check - spi: spi-nxp-fspi: enable runtime pm for fspi - spi: nxp-fspi: Use reinit_completion() for repeated operations - spi: fsl-qspi: Use reinit_completion() for repeated operations - media: i2c: og01a1b: Replace client->dev usage - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe - drm/v3d: Handle error from drm_sched_entity_init() - drm/sun4i: Fix resource leaks - drm/amdgpu: Add default case in DVI mode validation - dm init: ensure device probing has finished in dm-mod.waitfor= - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break - crypto: tegra - finalize crypto req on error - crypto: tegra - Transfer HASH init function to crypto engine - crypto: tegra - Reserve keyslots to allocate dynamically - crypto: tegra - Disable softirqs before finalizing request - crypto: atmel - Use unregister_{aeads,ahashes,skciphers} - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs - padata: Remove cpu online check from cpu add and removal - padata: Put CPU offline callback in ONLINE section to allow failure - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation - drm/amdgpu/gfx10: look at the right prop for gfx queue priority - drm/amdgpu/gfx11: look at the right prop for gfx queue priority - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo - drm/imagination: Switch reset_reason fields from enum to u32 - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() - [arm64] drm/msm/dpu: fix mismatch between power and frequency - [arm64] drm/msm/dsi: add the missing parameter description - [arm64] drm/msm/dsi: fix bits_per_pclk - [arm64] drm/msm/dsi: fix hdisplay calculation for CMD mode panel - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first - drm/panel: simple: Correct G190EAN01 prepare timing - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board - drm/amdgpu: add amdgpu_device reference in ip block - drm/amdgpu: update the handle ptr in dump_ip_state - drm/amdgpu: update the handle ptr in early_init - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled - hwmon: Switch back to struct platform_driver::remove() - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') - [amd64] ASoC: SOF: Intel: hda: Place check before dereference - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/shrinker: Fix can_block() logic - [arm64] drm/msm/a6xx: Fix dumping A650+ debugbus blocks - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - pmdomain: ti: omap_prm: Fix a reference leak on device node - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() - PM: domains: De-constify fields in struct dev_pm_domain_attach_data - ASoC: fsl_micfil: Add access property for "VAD Detected" - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() - ASoC: fsl_micfil: Fix event generation in micfil_quality_set() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() - ASoC: fsl_easrc: Change the type for iec958 channel status controls - [amd64] iommu/amd: Remove protection_domain.dev_cnt variable - [amd64] iommu/amd: xarray to track protection_domain->iommu list - [amd64] iommu/amd: Do not detach devices in domain free path - [amd64] iommu/amd: Reduce domain lock scope in attach device path - [amd64] iommu/amd: Rearrange attach device code - [amd64] iommu/amd: Convert dev_data lock from spinlock to mutex - [amd64] iommu/amd: Introduce helper function to update 256-bit DTE - [amd64] iommu/amd: Introduce helper function get_dte256() - [amd64] iommu/amd: Fix clone_alias() to use the original device's devid - [arm64] ASoC: qcom: qdsp6: topology: check widget type before accessing data - crypto: qat - introduce fuse array - crypto: qat - disable 4xxx AE cluster when lead engine is fused off - crypto: qat - disable 420xx AE cluster when lead engine is fused off - crypto: qat - fix type mismatch in RAS sysfs show functions - crypto: qat - use swab32 macro - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] - PCI: Enable AtomicOps only if Root Port supports them - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found - Documentation: fix a hugetlbfs reservation statement - ALSA: scarlett2: Add missing sentinel initializer field - ASoC: SOF: compress: return the configured codec from get_params - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports - PCI: tegra194: Fix polling delay for L2 state - PCI: tegra194: Increase LTSSM poll time on surprise link down - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down - PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0() - PCI: tegra194: Don't force the device into the D0 state before L2 - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode - PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" - PCI: tegra194: Disable direct speed change for Endpoint mode - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode - PCI: tegra194: Allow system suspend when the Endpoint link is not up - PCI: tegra194: Free up Endpoint resources during remove() - PCI: tegra194: Use DWC IP core version - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on - spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback - ALSA: sc6000: Keep the programmed board state in card-private data - dm cache: fix missing return in invalidate_committed's error path - crypto: jitterentropy - replace long-held spinlock with mutex - ALSA: hda/realtek - fixed speaker no sound update - gfs2: Call unlock_new_inode before d_instantiate - net/socket.c: switch to CLASS(fd) - fdget(), trivial conversions - fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() - quota: Fix race of dquot_scan_active() with quota deactivation - gfs2: add some missing log locking - gfs2: prevent NULL pointer dereference during unmount - efi/capsule-loader: fix incorrect sizeof in phys array reallocation - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine - [arm64] dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon - memory: tegra124-emc: Fix dll_change check - memory: tegra30-emc: Fix dll_change check - [arm64] dts: imx8-apalis: Fix LEDs name collision - [arm64] dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) - iommufd: vfio compatibility extension check for noiommu mode - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7981b: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count - [arm64] dts: qcom: msm8953-xiaomi-vince: correct wled ovp value - [arm64] dts: qcom: msm8953-xiaomi-daisy: fix backlight - [arm64] dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi - [arm64] dts: rockchip: Correct Fan Supply for Gameforce Ace - [arm64] dts: rockchip: Correct Joystick Axes on Gameforce Ace - [arm64] soc: qcom: ocmem: make the core clock optional - [arm64] soc: qcom: ocmem: register reasons for probe deferrals - [arm64] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available - bus: rifsc: fix RIF configuration check for peripherals - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix GIC_ITS range length - [arm64] dts: qcom: sm8650: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix xo clock supply of platform SD host controller - [arm64] dts: qcom: sm8650: Fix xo clock supply of SD host controller - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - [arm64] dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins - [arm64] dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins - [arm64] dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label - [arm64] dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing - [arm64] dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit - [arm64] dts: lx2160a: remove duplicate pinmux nodes - [arm64] dts: lx2160a: rename pinmux nodes for readability - [arm64] dts: lx2160a: add sda gpio references for i2c bus recovery - [arm64] dts: lx2160a: change zeros to hexadecimal in pinmux nodes - [arm64] dts: lx2160a: complete pinmux for rcwsr12 configuration word - [arm64] dts: imx8qm-mek: switch Type-C connector power-role to dual - [arm64] dts: imx8qxp-mek: switch Type-C connector power-role to dual - soc/tegra: cbb: Set ERD on resume for err interrupt - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure - ocfs2/dlm: validate qr_numregions in dlm_match_regions() - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison - soc: qcom: llcc: fix v1 SB syndrome register offset - [arm64] soc: qcom: aoss: compare against normalized cooling state - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP - [arm64] xor: fix conflicting attributes for xor_block_template - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP - ocfs2: fix listxattr handling when the buffer is full - ocfs2: validate bg_bits during freefrag scan - ocfs2: validate group add input before caching - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function - soundwire: bus: demote UNATTACHED state warnings to dev_dbg() - dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - soundwire: cadence: Clear message complete before signaling waiting thread - tracing: Rebuild full_name on each hist_field_name() call - hte: tegra194: remove Kconfig dependency on Tegra194 SoC - remoteproc: xlnx: Fix sram property parsing - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: make asus_resume adhere to linux kernel coding standards - HID: asus: do not abort probe when not necessary - mtd: physmap_of_gemini: Fix disabled pinctrl state check - ima_fs: don't bother with removal of files in directory we'll be removing - ima_fs: get rid of lookup-by-dentry stuff - ima_fs: Correctly create securityfs files for unsupported hash algos - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range - mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions - cxl/pci: Check memdev driver binding status in cxl_reset_done() - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() - ext4: fix possible null-ptr-deref in mbt_kunit_exit() - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check - bpf, sockmap: Fix af_unix iter deadlock - bpf, sockmap: Fix af_unix null-ptr-deref in proto update - bpf, sockmap: Take state lock for af_unix iter - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - bpf: Fix NULL deref in map_kptr_match_type for scalar regs - bpf: allow UTF-8 literals in bpf_bprintf_prepare() - bpf: Validate node_id in arena_alloc_pages() - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT - pinctrl: pinctrl-pic32: Fix resource leak - pinctrl: cy8c95x0: remove duplicate error message - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() - pinctrl: cy8c95x0: Avoid returning positive values to user space - perf branch: Avoid incrementing NULL - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace - pinctrl: realtek: Fix function signature for config argument - pinctrl: abx500: Fix type of 'argument' variable - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers - perf lock: Fix option value type in parse_max_stack - perf stat: Fix opt->value type for parse_cache_level - perf tools: Fix module symbol resolution for non-zero .text sh_addr - perf expr: Return -EINVAL for syntax error in expr__find_ids() - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure - ipmi: ssif_bmc: fix message desynchronization after truncated response - ipmi: ssif_bmc: change log level to dbg in irq callback - perf evsel: Add alternate_hw_config and use in evsel__match - perf tool_pmu: Factor tool events into their own PMU - perf python: Add parse_events function - perf cgroup: Update metric leader in evlist__expand_cgroup - perf maps: Fix copy_from that can break sorted by name order - perf util: Kill die() prototype, dead for a long time - reset: replace boolean parameters with flags parameter - reset: Add devres helpers to request pre-deasserted reset controls - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status - backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() - platform/surface: surfacepro3_button: Drop wakeup source on remove - leds: lgm-sso: Remove duplicate assignments for priv->mmap - tty: hvc_iucv: fix off-by-one in number of supported devices - platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - [amd64] platform/x86: asus-wmi: adjust screenpad power/brightness handling - [amd64] platform/x86: asus-wmi: fix screenpad brightness range - tty: serial: ip22zilog: Fix section mispatch warning - fs/ntfs3: terminate the cached volume label after UTF-8 conversion - [amd64] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - [amd64] platform/x86: dell-wmi-sysman: bound enumeration string aggregation - RDMA/core: Prefer NLA_NUL_STRING - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source - scsi: sg: Fix sysctl sg-big-buff register during sg_init() - scsi: sg: Resolve soft lockup issue when opening /dev/sgX - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting - scsi: target: core: Fix integer overflow in UNMAP bounds check - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Use retention for USB power domains - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - clk: imx8mq: Correct the CSI PHY sels - [amd64] x86/um/vdso: Drop VDSO64-y from Makefile - clk: qoriq: avoid format string warning - clk: xgene: Fix mapping leak in xgene_pllclk_init() - dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets - clk: qcom: dispcc-sc7180: Add missing MDSS resets - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON - clk: visconti: pll: initialize clk_init_data to zero - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() - [amd64] drm/i915: Relocate the SKL wm sanitation code - [amd64] drm/i915/wm: Verify the correct plane DDB entry - crypto: sa2ul - Fix AEAD fallback algorithm names - crypto: ccp - copy IV using skcipher ivsize - erofs: add encoded extent on-disk definition - erofs: do sanity check on m->type in z_erofs_load_compact_lcluster() - erofs: avoid infinite loops due to corrupted subpage compact indexes (CVE-2025-68251) - erofs: unify lcn as u64 for 32-bit platforms - [arm64] dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT - PCMCIA: Fix garbled log messages for KERN_CONT - [arm64] dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT - [arm64] dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names - net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir - macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: fix IPv6 route referencing IPv4 nexthop - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch - tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE - tcp: annotate data-races around tp->bytes_sent - tcp: annotate data-races around tp->bytes_retrans - tcp: annotate data-races around tp->dsack_dups - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - tcp: annotate data-races around tp->plb_rehash - ice: update PCS latency settings for E825 10G/25Gb modes - ice: Remove jumbo_remove step from TX path - ice: fix double-free of tx_buf skb - ice: fix ICE_AQ_LINK_SPEED_M for 200G - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks - pppoe: drop PFC frames - net/mlx5: Fix HCA caps leak on notifier init failure - openvswitch: cap upcall PID array size and pre-size vport replies - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO - netfilter: conntrack: remove sprintf usage - netfilter: xtables: restrict several matches to inet family - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check - slip: reject VJ receive packets on instances with no rstate array - slip: bound decode() reads against the compressed packet length - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - pwm: atmel-tcb: Cache clock rates and mark chip as atomic - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() - ksmbd: destroy async_ida in ksmbd_conn_free() - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open - ksmbd: scope conn->binding slowpath to bound sessions only - net/rds: zero per-item info buffer before handing it to visitors - ice: fix timestamp interrupt configuration for E825C - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - net: dsa: realtek: rtl8365mb: fix mode mask calculation - net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() - virtio_net: Split struct virtio_net_rss_config - virtio_net: Fix endian with virtio_net_ctrl_rss - virtio_net: Use new RSS config structs - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() - rtc: abx80x: Disable alarm feature if no interrupt attached - kbuild: builddeb - avoid recompiles for non-cross-compiles - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case - mailbox: mailbox-test: free channels on probe error - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array - mailbox: mailbox-test: don't free the reused channel - mailbox: mailbox-test: initialize struct earlier - mailbox: mailbox-test: make data_ready a per-instance variable - fsnotify: fix inode reference leak in fsnotify_recalc_mask() - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - cgroup: Increment nr_dying_subsys_* from rmdir context - tracing: branch: Fix inverted check on stat tracer registration - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers - netfilter: arp_tables: fix IEEE1394 ARP payload parsing - nvme-pci: fix missed admin queue sq doorbell write - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG - drm/amdgpu: fix spelling typos - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching - netfilter: nf_conntrack_sip: don't use simple_strtoul - [amd64] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ - drm/sysfb: ofdrm: fix PCI device reference leaks - arm64/scs: Fix potential sign extension issue of advance_loc4 - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets - net/sched: netem: only reseed PRNG when seed is explicitly provided - net/sched: netem: validate slot configuration - net/sched: netem: fix slot delay calculation overflow - net/sched: netem: check for negative latency and jitter - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - NFC: trf7970a: Ignore antenna noise when checking for RF field - net/sched: taprio: fix NULL pointer dereference in class dump - neigh: let neigh_xmit take skb ownership - tcp: make probe0 timer handle expired user timeout - net, treewide: define and use MAC_ADDR_STR_LEN - netconsole: allow selection of egress interface via MAC address - netpoll: Extract carrier wait function - netpoll: extract IPv4 address retrieval into helper function - netpoll: fix IPv6 local-address corruption - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams - sched/fair: Clear rel_deadline when initializing forked entities - net: mctp i2c: check length before marking flow active - net: phy: dp83869: fix setting CLK_O_SEL field. - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring - ASoC: codecs: ab8500: Fix casting of private data - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - netconsole: propagate device name truncation in dev_name_store() - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 - ALSA: hda/conexant: Fix missing error check for jack detection - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - drm/xe/debugfs: Correct printing of register whitelist ranges - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() - drm/xe/gsc: Fix BO leak on error in query_compatibility_version() - page_pool: Set `dma_sync` to false for devmem memory provider - net: page_pool: create hooks for custom memory providers - page_pool: fix memory-provider leak in page_pool_create_percpu() error path - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING - iavf: stop removing VLAN filters from PF on interface down - iavf: wait for PF confirmation before removing VLAN filters - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler - ice: fix NULL pointer dereference in ice_reset_all_vfs() - net: tls: fix strparser anchor skb leak on offload RX setup failure - sfc: fix error code in efx_devlink_info_running_versions() - net/sched: cls_flower: revert unintended changes - [arm64] Reserve an extra page for early kernel mapping - smb: client: correctly handle ErrorContextData as a flexible array - smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613) - LoongArch: KVM: Compile switch.S directly into the kernel - ntfs: ->d_compare() must not block - PCI: Initialize temporary device in new_id_store() - net: bcmgenet: Initialize u64 stats seq counter - net: bcmgenet: fix leaking free_bds - [amd64] iommu/amd: Reorder attach device code - [amd64] iommu/amd: Put list_add/del(dev_data) back under the domain->lock - perf tool_pmu: Fix aggregation on duration_time - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - netpoll: Extract IPv6 address retrieval function - netpoll: pass buffer size to egress_dev() to avoid MAC truncation - page_pool: fix incorrect mp_ops error handling - crypto: af_alg - Cap AEAD AD length to 0x80000000 - i40e: Cleanup PTP pins on probe failure - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path - netfilter: nf_conntrack_sip: get helper before allocating expectation - audit: fix incorrect inheritable capability in CAPSET records - Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" - netfilter: nft_ct: fix missing expect put in obj eval - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic - [amd64] KVM: x86: Fix Xen hypercall tracepoint argument assignment - netfilter: nf_tables: unconditionally bump set->nelems before insertion (CVE-2026-23272) - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands - smb/client: fix possible infinite loop and oob read in symlink_data() - [amd64] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans - ALSA: usb-audio: Bound MIDI endpoint descriptor scans - ceph: fix a buffer leak in __ceph_setxattr() - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - [powerpc*] warp: Fix error handling in pika_dtm_thread - netfs: fix error handling in netfs_extract_user_iter() - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining - libceph: Fix potential out-of-bounds access in osdmap_decode() - libceph: Fix potential null-ptr-deref in decode_choose_args() - libceph: Fix potential out-of-bounds access in crush_decode() - libceph: handle rbtree insertion error in decode_choose_args() - [amd64] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [amd64] drm/i915: skip __i915_request_skip() for already signaled requests - drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - drm/xe/dma-buf: handle empty bo and UAF races - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - drm/gma500/oaktrail_lvds: fix hang on init failure - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init - iommufd: Fix return value of iommufd_fault_fops_write() - eventfs: Use list_add_tail_rcu() for SRCU-protected children list - drm/v3d: Reject empty multisync extension to prevent infinite loop - btrfs: use inode already stored in local variable at btrfs_rmdir() - btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() - btrfs: fix missing last_unlink_trans update when removing a directory - smb: client: Use FullSessionKey for AES-256 encryption key derivation - btrfs: do not mark inode incompressible after inline attempt fails - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() - sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new - mptcp: pm: prio: skip closed subflows - mptcp: drop __mptcp_fastopen_gen_msk_ackseq() - mptcp: fix rx timestamp corruption on fastopen - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix false alarm of lockdep on cp_global_sem lock - spi: sifive: Simplify clock handling with devm_clk_get_enabled() - spi: sifive: fix controller deregistration - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - netfs: Fix potential uninitialised var in netfs_extract_user_iter() https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.92 - mptcp: sync the msk->sndbuf at accept() time - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount (CVE-2026-46158) - mptcp: pm: ADD_ADDR rtx: free sk if last (CVE-2026-46170) - ksmbd: validate owner of durable handle on reconnect (CVE-2026-31717) - drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() (CVE-2026-46216) - [s390x] debug: Reject zero-length input before trimming a newline - Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" - Revert "perf tool_pmu: Fix aggregation on duration_time" - Revert "perf python: Add parse_events function" - Revert "perf tool_pmu: Factor tool events into their own PMU" - bridge: mrp: reject zero test interval to avoid OOM panic (CVE-2026-31420) - spi: spi-dw-dma: fix print error log when wait finish transaction (CVE-2026-31560) - Revert "x86/vdso: Fix output operand size of RDPID" - sched/deadline: Less agressive dl_server handling - sched/deadline: Fix dl_server_stopped() - sched/deadline: Fix dl_server getting stuck - sched/deadline: Fix dl_server behaviour - sched/deadline: Stop dl_server before CPU goes offline - ksmbd: close durable scavenger races against m_fp_list lookups - af_unix: Give up GC if MSG_PEEK intervened. (CVE-2026-23394) - drm/imagination: Synchronize interrupts before suspending the GPU (CVE-2026-23469) - ata: libata-scsi: improve readability of ata_scsi_qc_issue() - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS - ata: libata-scsi: do not needlessly defer commands when using PMP with FBS - perf parse-events: Expose/rename config_term_name - Revert "ice: fix double-free of tx_buf skb" - Revert "ice: Remove jumbo_remove step from TX path" - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 - net/mlx5e: Trigger neighbor resolution for unresolved destinations - net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init - [amd64] x86/fgraph: Fix return_to_handler regs.rsp value - [amd64] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set - [riscv64] fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS - [riscv64] fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler (CVE-2025-22069) - hwmon: (pmbus/core) Protect regulator operations with mutex - [arm64] Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL - sysfs: don't remove existing directory on update failure - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() - ksmbd: fix null pointer dereference in compare_guid_key() - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow - ksmbd: validate SID in parent security descriptor during ACL inheritance - smb: client: require net admin for CIFS SWN netlink - smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() - smb: client: use data_len for SMB2 READ encrypted folioq copy - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX - ALSA: ua101: Reject too-short USB descriptors - ALSA: pcm: Don't setup bogus iov_iter for silencing - ALSA: asihpi: Fix potential OOB array access at reading cache - efi: Allocate runtime workqueue before ACPI init - io_uring/waitid: clear waitid info before copying it to userspace - drivers/base/memory: fix memory block reference leak in poison accounting - ipv6: ioam: refresh hdr pointer before ioam6_event() - mm/memory_hotplug: fix memory block reference leak on remove - net: wwan: iosm: fix potential memory leaks in ipc_imem_init() - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer - Bluetooth: MGMT: validate Add Extended Advertising Data length - Bluetooth: serialize accept_q access - phonet/pep: disable BH around forwarded sk_receive_skb() - net: bcmgenet: keep RBUF EEE/PM disabled - net: ifb: report ethtool stats over num_tx_queues - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() - netfilter: ip6t_hbh: reject oversized option lists - netfilter: nf_queue: hold bridge skb->dev while queued - netfilter: ipset: stop hash:* range iteration at end - netfilter: nft_inner: Fix IPv6 inner_thoff desync - sched_ext: Fix missing warning in scx_set_task_state() default case - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path - cgroup/cpuset: Reset DL migration state on can_attach() failure - fs/ntfs3: handle attr_set_size() errors when truncating files - l2tp: use list_del_rcu in l2tp_session_unhash - qed: fix double free in qed_cxt_tables_alloc() - ring-buffer: Fix reporting of missed events in iterator - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() - vsock/vmci: fix UAF when peer resets connection during handshake - vsock/virtio: reset connection on receiving queue overflow - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - rbd: eliminate a race in lock_dwork draining on unmap - lsm: hold cred_guard_mutex for lsm_set_self_attr() - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index - ice: fix setting promisc mode while adding VID filter - ice: restore PTP Rx timestamp config after ethtool set-channels - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - af_unix: Fix UAF read of tail->len in unix_stream_data_wait() - wifi: mac80211: consume only present negotiated TTLM maps - cifs: Fix busy dentry used after unmounting - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [arm64] probes: Handle probes on hinted conditional branch instructions - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits - [arm64] KVM: arm64: vgic: Free private_irqs when init fails after allocation - [riscv64] kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe - spi: qup: fix error pointer deref after DMA setup failure - [arm64] phy: tegra: xusb: Fix per-pad high-speed termination calibration - scsi: isci: Fix use-after-free in device removal path - spi: ep93xx: fix error pointer deref after DMA setup failure - spi: sprd: fix error pointer deref after DMA setup failure - spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - device property: set fwnode->secondary to NULL in fwnode_init() - drm/virtio: use uninterruptible resv lock for plane updates - drm/amdgpu/vpe: Force collaborate sync after TRAP - drm/bridge: it66121: acquire reset GPIO in probe - drm/bridge: megachips: remove bridge when irq request fails - drm/amd/display: Fix integer overflow in bios_get_image() - drm/amd/display: Validate GPIO pin LUT table size before iterating - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown - batman-adv: dat: handle forward allocation error - batman-adv: fix fragment reassembly length accounting - batman-adv: fix tp_meter counter underflow during shutdown - batman-adv: frag: disallow unicast fragment in fragment - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock - hwmon: (pmbus/adm1266) reject implausible blackbox record_count - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors - [arm64] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume - HID: uclogic: Fix regression of input name assignment - [riscv64] mm: Fixup no5lvl failure when vaddr is invalid - [arm64] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 - ALSA: hda: cs35l56: Put ACPI device after setting companion - ALSA: hda: cs35l41: Put ACPI device on missing physical node - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - netfilter: x_tables: unregister the templates first - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() - tcp: Fix imbalanced icsk_accept_queue count. - ice: fix setting RSS VSI hash for E830 - ice: fix locking in ice_dcb_rebuild() - net: lan966x: avoid unregistering netdev on register failure - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - NFSD: Fix infinite loop in layout state revocation - irqchip/ath79-cpu: Remove unused function - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation - nsfs: fix wrong error code returned for pidns ioctls - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT - zonefs: handle integer overflow in zonefs_fname_to_fno - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). - [powerpc*] fix dead default for GUEST_STATE_BUFFER_TEST - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call - netfs: Fix overrun check in netfs_extract_user_iter() - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone - netfs: Defer the emission of trace_netfs_folio() - netfs: Fix streaming write being overwritten - netfs: Fix potential deadlock in write-through mode - netfs: Fix write streaming disablement if fd open O_RDWR - netfs: Fix early put of sink folio in netfs_read_gaps() - netfs: Fix partial invalidation of streaming-write folio - netfs: Fix a few minor bugs in netfs_page_mkwrite() - netfs: Remove unnecessary references to pages - netfs: Fix folio->private handling in netfs_perform_write() - net: ethernet: cortina: Make RX SKB per-port - net: ethernet: cortina: Drop half-assembled SKB - net: ethernet: cortina: Carry over frag counter - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference - wifi: ath11k: fix error path leaks in some WMI WOW calls - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() - wifi: ath10k: skip WMI and beacon transmission when device is wedged - blk-integrity: remove seed for user mapped buffers - block: don't overwrite bip_vcnt in bio_integrity_copy_user() - block: recompute nr_integrity_segments in blk_insert_cloned_request - HID: quirks: really enable the intended work around for appledisplay - block: modify bio_integrity_map_user to accept iov_iter as argument - block: drop direction param from bio_integrity_copy_user() - blk-integrity: use simpler alignment check - blk-integrity: enable p2p source and destination - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() - accel/qaic: Add overflow check to remap_pfn_range during mmap - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - [arm64] drm/msm/dsi: don't dump registers past the mapped region - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN - [powerpc*] time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - net: phy: DP83TC811: add reading of abilities - [amd64] x86/xen: Fix xen_e820_swap_entry_with_ram() - tls: Preserve sk_err across recvmsg() when data has been copied - net/mlx5: Do not restore destination-less TC rules - scsi: sd: Fix return code handling in sd_spinup_disk() - ALSA: scarlett2: Add missing error check when initialise Autogain Status - io_uring/net: punt IORING_OP_BIND async if it needs file create - btrfs: fix squota accounting during enable generation - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions - drm/xe/gsc: Fix double-free of managed BO in error path - drm/xe/vf: Fix signature of print functions - drm/xe/pf: Fix CFI failure in debugfs access - wifi: ath11k: fix peer resolution on rx path when peer_id=0 - ice: ptp: serialize E825 PHY timer start with PTP lock - [amd64] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP - [arm64] net: dsa: mt7530: fix FDB entries not aging out with short timeout - [arm64] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer - platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 - [amd64] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL - [amd64] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL - RDMA/rtrs: Fix use-after-free in path file creation cleanup - net: bridge: Flush multicast groups when snooping is disabled - bridge: mcast: Fix a possible use-after-free when removing a bridge port - pds_core: fix error handling in pdsc_devcmd_wait - pds_core: fix debugfs_lookup dentry leak and error handling - wifi: mac80211: fix MLE defragmentation - ALSA: seq: Serialize UMP output teardown with event_input - tracing: Avoid NULL return from hist_field_name() on truncation - Bluetooth: btmtk: fix urb->setup_packet leak in error paths - net: ag71xx: check error for platform_get_irq - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() - drm/xe/oa: Fix exec_queue leak on width check in stream open - [arm64] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs - net: mana: validate rx_req_idx to prevent out-of-bounds array access - pds_core: ensure null-termination for firmware version strings - net: gro: don't merge zcopy skbs - landlock: Fix TCP handling of short AF_UNSPEC addresses - block: make bio_integrity_map_user() static inline - security/keys: fix missed RCU read section on lookup https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.93 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - [arm64] drm/v3d: Fix use-after-free of CPU job query arrays on error path - [arm64] drm/v3d: Release indirect CSD GEM reference on CPU job free - net/sched: cls_fw: fix NULL dereference of "old" filters before change() - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930) - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - bcache: fix uninitialized closure object - net: cpsw_new: Fix potential unregister of netdev that has not been registered yet (CVE-2026-43219) - [arm64] Introduce esr_is_ubsan_brk() - [arm64] debug: clean up single_step_handler logic - [arm64] refactor aarch32_break_handler() - [arm64] debug: call software breakpoint handlers statically - [arm64] debug: call step handlers statically - [arm64] debug: remove break/step handler registration infrastructure - [arm64] entry: Add entry and exit functions for debug exceptions - [arm64] debug: split hardware breakpoint exception entry - [arm64] debug: refactor reinstall_suspended_bps() - [arm64] debug: split single stepping exception entry - [arm64] debug: split hardware watchpoint exception entry - [arm64] debug: split brk64 exception entry - [arm64] debug: split bkpt32 exception entry - [arm64] debug: remove debug exception registration infrastructure - [arm64] debug: always unmask interrupts in el0_softstp() - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - vsock: keep poll shutdown state consistent - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - [s390x] net/iucv: fix locking in .getsockopt - scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - ALSA: pcm: oss: Fix setup list UAF on proc write error - [amd64] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - net: hsr: fix potential OOB access in supervision frame handling - [amd64] accel/ivpu: prevent uninitialized data bug in debugfs - gpio: mxc: fix irq_high handling - net: Avoid checksumming unreadable skb tail on trim - ethtool: rss: fix hkey leak when indir_size is 0 - ethtool: module: avoid leaking a netdev ref on module flash errors - ethtool: module: check fw_flash_in_progress under rtnl_lock - ethtool: module: fix cleanup if socket used for flashing multiple devices - ethtool: cmis: require exact CDB reply length - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl - net: ethtool: Add new parameters and a function to support EPL - net: ethtool: Add support for writing firmware blocks using EPL payload - ethtool: cmis: validate start_cmd_payload_size from module - ethtool: cmis: validate fw->size against start_cmd_payload_size - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - ASoC: codecs: simple-mux: Fix enum control bounds check - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - bonding: refuse to enslave CAN devices - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error - ethtool: pse-pd: fix missing ethnl_ops_complete() - ethtool: strset: fix header attribute index in ethnl_req_get_phydev() - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback - ethtool: eeprom: add more safeties to EEPROM Netlink fallback - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" - net/sched: fix packet loop on netem when duplicate is on - net/sched: act_mirred: Move the recursion counter struct netdev_xmit - net/sched: act_mirred: add loop detection - net: Introduce skb tc depth field to track packet loops - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop - net/sched: act_mirred: Fix return code in early mirred redirect error paths - net/handshake: Use spin_lock_bh for hn_lock - nvme-tcp: store negative errno in queue->tls_err - net/handshake: Pass negative errno through handshake_complete() - remove pointless includes of - net/handshake: Take a long-lived file reference at submit - net/handshake: Drain pending requests at net namespace exit - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close - [arm64,armhf] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() - [amd64,arm64] net: mana: Add NULL guards in teardown path to prevent panic on attach failure - sctp: fix race between sctp_wait_for_connect and peeloff - ipv6: fix possible infinite loop in rt6_fill_node() - ipv6: fix possible infinite loop in fib6_select_path() - net: skbuff: fix pskb_carve leaking zcopy pages - perf: Fix dangling cgroup pointer in cpuctx - batman-adv: v: stop OGMv2 on disabled interface - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: tt: reject oversized local TVLV buffers - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: avoid role confusion in tp_list - [s390x] cio: Restore GFP_DMA for CHSC allocation - batman-adv: tp_meter: directly shut down timer on cleanup - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303) - media: rc: fix race between unregister and urb/irq callbacks - media: rc: ttusbir: fix inverted error logic - inet: frags: add inet_frag_queue_flush() - inet: frags: flush pending skbs in fqdir_pre_exit() (CVE-2025-68768) - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: introduce hid_safe_input_report() - HID: core: Fix size_t specifier in hid_report_raw_event() - [amd64] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register - [amd64] drm/i915/psr: Read Intel DPCD workaround register - drm/dp: Add eDP 1.5 bit definition - [amd64] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used - [arm64] io: Rename ioremap_prot() to __ioremap_prot() - [arm64] io: Extract user memory type in ioremap_prot() (CVE-2026-23346) - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X - batman-adv: tt: prevent TVLV entry number overflow - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers - usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT - usb: typec: ucsi: validate connector number in ucsi_connector_change() - USB: serial: safe_serial: fix memory corruption with small endpoint - media: rc: igorplugusb: fix control request setup packet - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range - auxdisplay: line-display: fix OOB read on zero-length message_store() - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - Bluetooth: HIDP: fix missing length checks in hidp_input_report() - Bluetooth: ISO: fix UAF in iso_recv_frame - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync - Input: xpad - fix out-of-bounds access for Share button - parport: Fix race between port and client registration (Closes: #1130365) - USB: cdc-acm: Fix bit overlap and move quirk definitions to header - [arm64] KVM: arm64: PMU: Preserve AArch32 counter low bits - [amd64] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC - [amd64] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use - [amd64] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests - [amd64] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - [amd64] KVM: SEV: Compute the correct max length of the in-GHCB scratch area - [amd64] KVM: SEV: Check PSC request indices against the actual size of the buffer - [amd64] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer - [amd64] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux - iio: adc: npcm: fix unbalanced clk_disable_unprepare() - iio: dac: max5821: fix return value check in powerdown sync - iio: dac: ad5686: fix input raw value check - iio: dac: ad5686: acquire lock when doing powerdown control - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: gyro: adis16260: fix division by zero in write_raw - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() - USB: serial: omninet: fix memory corruption with small endpoint - usb: cdns3: gadget: fix request skipping after clearing halt - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - wireguard: send: append trailer after expanding head - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ipv6: exthdrs: refresh nh after handling HAO option - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - xfrm: input: hold netns during deferred transport reinjection - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - net: skbuff: fix missing zerocopy reference in pskb_carve helpers - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: xpad - add "Nova 2 Lite" from GameSir - Input: xpad - add support for ASUS ROG RAIKIRI II - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [amd64] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [amd64] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - counter: Fix refcount leak in counter_alloc() error path - tty: serial: pch_uart: add check for dma_alloc_coherent() - tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - usb: typec: tcpm: improve handling of DISCOVER_MODES failures - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - usb: gadget: f_fs: copy only received bytes on short ep0 read - usb: gadget: f_fs: serialize DMABUF cancel against request completion - [amd64] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - [amd64] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - scsi: target: iscsi: Validate CHAP_R length before base64 decode - drm/hyperv: validate resolution_count and fix WIN8 fallback - drm/hyperv: validate VMBus packet size in receive callback - [amd64] drm/i915: Fix potential UAF in TTM object purge - drm/amd/pm/si: Disregard vblank time when no displays are connected - serial: altera_jtaguart: handle uart_add_one_port() failures - serial: qcom-geni: fix UART_RX_PAR_EN bit position - serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ - serial: sh-sci: fix memory region release in error path - serial: zs: Fix swapped RI/DSR modem line transition counting - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger - drm/amdkfd: Check for pdd drm file first in CRIU restore path - serial: dz: Fix bootconsole message clobbering at chip reset - serial: dz: Fix bootconsole handover lockup - serial: dz: Convert to use a platform device - serial: zs: Fix bootconsole handover lockup - serial: zs: Switch to using channel reset - serial: zs: Convert to use a platform device - USB: serial: cypress_m8: fix memory corruption with small endpoint - USB: serial: digi_acceleport: fix memory corruption with small endpoints - xhci: tegra: Fix ghost USB device on dual-role port unplug - iommu: Skip PASID validation for devices without PASID capability - [amd64] x86/boot: Disable stack protector for early boot code - [amd64] x86/kexec: Disable KCOV instrumentation after load_segments() (CVE-2026-43331) - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg - rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer - serdev: Provide a bustype shutdown function - Bluetooth: hci_qca: Migrate to serdev specific shutdown function - Bluetooth: hci_qca: Convert timeout from jiffies to ms - ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes - ALSA: scarlett2: Allow flash writes ending at segment boundary - mm/memory: fix spurious warning when unmapping device-private/exclusive pages - [amd64] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery - net: hsr: defer node table free until after RCU readers - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient - ice: fix VF queue configuration with low MTU values - ring-buffer: Flush and stop persistent ring buffer on panic - mptcp: cleanup fallback dummy mapping generation - mptcp: reset rcv wnd on disconnect - [arm64] tlb: Flush walk cache when unsharing PMD tables - [arm64] octeontx2-pf: avoid double free of pool->stack on AQ init failure - mptcp: introduce the mptcp_init_skb helper - mptcp: handle first subflow closing consistently - mptcp: do not drop partial packets - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() - iio: chemical: scd30: Use guard(mutex) to allow early returns - iio: chemical: scd30: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - ALSA: firewire-motu: Protect register DSP event queue positions - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths - usb: musb: omap2430: Fix use-after-free in omap2430_probe() - usb: typec: ucsi: Check if power role change actually happened before handling - [amd64] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - [amd64] x86/alternatives: Rename 'apply_relocation()' to 'text_poke_apply_relocation()' - [amd64] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock - mm: perform all memfd seal checks in a single place - mm/memfd: fix spelling and grammatical issues - memfd: deny writeable mappings when implying SEAL_WRITE - usb: core: Fix SuperSpeed root hub wMaxPacketSize - ethtool: cmis_cdb: Fix incorrect read / write length extension - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow - [arm64] KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CVE-2026-46316) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.94 - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - USB: serial: mct_u232: fix memory corruption with small endpoint - [armhf] group is_permission_fault() with is_translation_fault() - [armhf] allow __do_kernel_fault() to report execution of memory faults - [armhf] fix hash_name() fault - [armhf] fix branch predictor hardening - net: phy: micrel: fix LAN8814 QSGMII soft reset - wifi: remove zero-length arrays - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - ipv6: mcast: Fix use-after-free when processing MLD queries - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS - [arm64] tee: optee: prevent use-after-free when the client exits before the supplicant - [arm64]soc: qcom: ice: Return -ENODEV if the ICE platform device is not found - erofs: add sysfs node to drop internal caches - erofs: tidy up synchronous decompression - erofs: fix use-after-free on sbi->sync_decompress - ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit - netfilter: synproxy: add mutex to guard hook reference counting - netfilter: conntrack_irc: fix possible out-of-bounds read - netfilter: nft_ct: bail out on template ct in get eval - netfilter: bridge: make ebt_snat ARP rewrite writable - dm cache policy smq: check allocation under invalidate lock - net/sched: act_api: use RCU with deferred freeing for action lifecycle - 6lowpan: fix off-by-one in multicast context address compression - l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() - devlink: Release nested relation on devlink free - [arm64] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c - wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap - pcnet32: stop holding device spin lock during napi_complete_done - net: Annotate sk->sk_write_space() for UDP SOCKMAP. - hsr: Remove WARN_ONCE() in hsr_addr_is_self(). - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - net: fec: fix pinctrl default state restore order on resume - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() - Bluetooth: MGMT: validate advertising TLV before type checks - Bluetooth: RFCOMM: validate skb length in MCC handlers - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling - Bluetooth: bnep: reject short frames before parsing - Bluetooth: fix memory leak in error path of hci_alloc_dev() - Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync - Bluetooth: ISO: Fix not using bc_sid as advertisement SID - Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls - Bluetooth: MGMT: Fix backward compatibility with userspace - [arm64] octeontx2-pf: Fix NDC sync operation errors - [arm64] octeontx2-af: Fix initialization of mcam's entry2target_pffunc field - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options - ptp: vclock: Switch from RCU to SRCU - net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown - net_sched: act_pedit: use RCU in tcf_pedit_dump() - net/sched: fix pedit partial COW leading to page cache corruption (CVE-2026-46331) - [arm64] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow - vxlan: vnifilter: send notification on VNI add - vxlan: vnifilter: fix spurious notification on VNI update - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr - sctp: purge outqueue on stale COOKIE-ECHO handling - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams - ALSA: seq: dummy: fix UMP event stack overread - ima: kexec: skip IMA segment validation after kexec soft reboot - ima: kexec: move IMA log copy from kexec load to execute - spi: cadence-quadspi: fix unclocked access on unbind (CVE-2026-46203) - tools/rv: Fix cleanup after failed trace setup - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - iomap: don't revert iov_iter on partially completed buffered writes - dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() - netlabel: validate unlabeled address and mask attribute lengths - gpio: mvebu: fix NULL pointer dereference in suspend/resume - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls - tcp: restrict SO_ATTACH_FILTER to priv users - net: add pskb_may_pull() to skb_gro_receive_list() - net/mlx4: avoid GCC 10 __bad_copy_from() false positive - net: ibm: emac: Fix use-after-free during device removal - netdev: fix double-free in netdev_nl_bind_rx_doit() - net: phy: clean the sfp upstream if phy probing fails - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove - net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list - net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure - net/mlx5: Use effective affinity mask for IRQ selection - ipv6: sit: reload inner IPv6 header after GSO offloads - net: openvswitch: fix possible kfree_skb of ERR_PTR - r8152: handle the return value of usb_reset_device() - gpio: zynq: fix runtime PM leak on remove - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() - net: guard timestamp cmsgs to real error queue skbs - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: revalidate bridge ports - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister - netfilter: x_tables: avoid leaking percpu counter pointers - netfilter: nf_log: validate MAC header was set before dumping it - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag - [arm64,armhf] net: mvpp2: sync RX data at the hardware packet offset - [arm64,armhf] net: mvpp2: limit XDP frame size to the RX buffer - [arm64,armhf] net: mvpp2: Add metadata support for xdp mode - [arm64,armhf] net: mvpp2: refill RX buffers before XDP or skb use - [arm64,armhf] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS - ipv6: Fix a potential NPD in cleanup_prefix_route() - netfilter: ctnetlink: ensure safe access to master conntrack (CVE-2026-43116) - writeback: Avoid contention on wb->list_lock when switching inodes - writeback: Fix use after free in inode_switch_wbs_work_fn() - xfrm: hold device only for the asynchronous decryption - xfrm: hold dev ref until after transport_finish NF_HOOK (CVE-2026-31663) - [amd64] KVM: VMX: Update SVI during runtime APICv activation - [arm64] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked - clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs - [arm64] clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time - drm/virtio: Fix driver removal with disabled KMS - [arm64,armhf] drm/vc4: fix krealloc() memory leak - drm/xe: fix refcount leak in xe_range_fence_insert() - netfilter: nft_tunnel: fix use-after-free on object destroy - [arm64] tee: shm: fix shm leak in register_shm_helper() - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig - [arm64] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() - [amd64] accel/ivpu: Add bounds checks for firmware log indices - [amd64] accel/ivpu: Add buffer overflow check in MS get_info_ioctl - [amd64] accel/ivpu: Fix signed integer truncation in IPC receive - tracing/probes: Point the error offset correctly for eprobe argument error - mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation - KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying - [amd64] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA - [amd64] drm/i915/gem: Fix phys BO pread/pwrite with offset - pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL - xfrm: espintcp: do not reuse an in-progress partial send - USB: serial: io_ti: fix heap overflow in get_manuf_info() - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow - ALSA: timer: Forcibly close timer instances at closing - ALSA: timer: Fix UAF at snd_timer_user_params() - io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries - drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - mm/huge_memory: update file PMD counter before folio_put() - mm/damon/ops-common: call folio_test_lru() after folio_get() - RDMA/srp: bound SRP_RSP sense copy by the received length - zram: fix use-after-free in zram_bvec_write_partial() - udp: clear skb->dev before running a sockmap verdict - mptcp: fix retransmission loop when csum is enabled - mptcp: close TOCTOU race while computing rcv_wnd - mptcp: allow subflow rcv wnd to shrink - mptcp: sockopt: check timestamping ret value - mptcp: add-addr: always drop other suboptions - wifi: nl80211: reject oversized EMA RNR lists - vsock/vmci: fix sk_ack_backlog leak on failed handshake - timers/migration: Fix livelock in tmigr_handle_remote_up() - ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write - bnxt_en: Fix NULL pointer dereference - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN - inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush - pidfd: refuse access to tasks that have started exiting harder - fs/qnx6: fix pointer arithmetic in directory iteration - fuse: reject fuse_notify() pagecache ops on directories - i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() - i2c: stm32f7: fix timing computation ignoring i2c-analog-filter - i2c: tegra: Fix NOIRQ suspend/resume - Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates - misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - misc: fastrpc: fix use-after-free race in fastrpc_map_create - misc: fastrpc: fix DMA address corruption due to find_vma misuse - misc: fastrpc: Fix NULL pointer dereference in rpmsg callback - net/mlx5: Reorder completion before putting command entry in cmd_work_handler - net: bonding: fix NULL pointer dereference in bond_do_ioctl() - net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind - nvmem: core: fix use-after-free bugs in error paths - nvmem: layouts: onie-tlv: fix hang on unknown types - [arm64] octeontx2-af: fix memory leak in rvu_setup_hw_resources() - io_uring/kbuf: don't truncate end buffer for bundles - io_uring/wait: fix min_timeout behavior - mm/hugetlb: restore reservation on error in hugetlb folio copy paths - mmc: core: Fix host controller programming for fixed driver type - mmc: dw_mmc-rockchip: Add missing private data for very old controllers - mmc: litex_mmc: Set mandatory idle clocks before CMD0 - mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC - mmc: sdhci: add signal voltage switch in sdhci_resume_host - pmdomain: imx: fix OF node refcount - rtase: Avoid sleeping in get_stats64() - rtase: Reset TX subqueue when clearing TX ring - sctp: diag: reject stale associations in dump_one path - sctp: stream: fully roll back denied add-stream state - [amd64] thunderbolt: Reject zero-length property entries in validator - [amd64] thunderbolt: Bound root directory content to block size - [amd64] thunderbolt: Clamp XDomain response data copy to allocation size - [amd64] thunderbolt: Validate XDomain request packet size before type cast - [amd64] thunderbolt: Limit XDomain response copy to actual frame size - [arm64] slimbus: qcom-ngd-ctrl: fix OF node refcount - [arm64] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration - [arm64] slimbus: qcom-ngd-ctrl: Fix probe error path ordering - [arm64] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd - [arm64] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller - [arm64] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership - [arm64] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD - [arm64] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock - drm/amdkfd: fix NULL dereference in get_queue_ids() - drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 - drm/xe: Clear pending_disable before signaling suspend fence - [arm64,armhf] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups - drm/amdgpu: restart the CS if some parts of the VM are still invalidated - drm/amd/pm: fix smu13 power limit default/cap calculation - drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 - drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range - drm/amd/display: Bound VBIOS record-chain walk loops - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size - drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs - drm/amd/display: Use krealloc_array() in dal_vector_reserve() - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling - driver core: reject devices with unregistered buses - mailbox: Fix NULL message support in mbox_send_message() - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf - sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() - netfilter: nft_fib: fix stale stack leak via the OIFNAME register - mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison - RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper - RDMA/umem: Move umem dmabuf revoke logic into helper function - RDMA/umem: Add helpers for umem dmabuf revoke lock - RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - RDMA/umem: fix kernel-doc warnings - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G - mm/hugetlb: avoid false positive lockdep assertion - mptcp: fix missing wakeups in edge scenarios - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - vsock/virtio: fix potential unbounded skb queue - vsock/virtio: fix skb overhead accounting to preserve full buf_alloc - block: fix handling of dead zone write plugs - [arm64] cputype: Add NVIDIA Olympus definitions - [arm64] cputype: Add C1-Ultra definitions - [arm64] cputype: Add C1-Premium definitions - [arm64] errata: Mitigate TLBI errata on various Arm CPUs - [arm64] errata: Mitigate TLBI errata on NVIDIA Olympus CPU - [arm64] errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - net: introduce EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() - tcp: use EXPORT_IPV6_MOD[_GPL]() - tcp: secure_seq: add back ports to TS offset (CVE-2026-23247) - mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation - vsock/virtio: fix skb overhead overflow on 32-bit builds - netfilter: require Ethernet MAC header before using eth_hdr() . [ Salvatore Bonaccorso ] * [rt] Refresh "ARM: enable irq in translation/section permission fault" * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) linux (6.12.94-1~bpo12+1) bookworm-backports; urgency=medium . * Rebuild for bookworm-backports . linux (6.12.94-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.91 - io_uring/kbuf: use mem_is_zero() - blk-cgroup: wait for blkcg cleanup before initializing new disk - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START - fs/mbcache: cancel shrink work before destroying the cache - md/raid1: fix the comparing region of interval tree - drbd: Balance RCU calls in drbd_adm_dump_devices() - loop: fix partition scan race between udev and loop_reread_partitions() - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() - pstore/ram: fix resource leak when ioremap() fails - md: wake raid456 reshape waiters before suspend - btrfs: pass struct btrfs_inode to clone_copy_inline_extent() - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit - [amd64] ACPI: x86: cmos_rtc: Clean up address space handler driver - [amd64] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver - devres: fix missing node debug info in devm_krealloc() - thermal/drivers/spear: Fix error condition for reading st,thermal-flags - debugfs: check for NULL pointer in debugfs_create_str() - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() - soundwire: debugfs: initialize firmware_file to empty string - PCI: use generic driver_override infrastructure - platform/wmi: use generic driver_override infrastructure - [s390x] cio: use generic driver_override infrastructure - bus: fsl-mc: use generic driver_override infrastructure - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter - hrtimers: Update the return type of enqueue_hrtimer() - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() - hrtimer: Reduce trace noise in hrtimer_start() - locking: Fix rwlock support in - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet - bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n - [s390x] bpf: Zero-extend bpf prog return values and kfunc arguments - params: Replace __modinit with __init_or_module - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control - wifi: mt76: mt7615: fix use_cts_prot support - wifi: mt76: mt7915: fix use_cts_prot support - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() - wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor - wifi: mt76: mt7921: Place upper limit on station AID - [arm64] cpufeature: Make PMUVer and PerfMon unsigned - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() - wifi: mt76: mt7921: fix 6GHz regulatory update on connection - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path - bpf: Fix variable length stack write over spilled pointers - bpf,arc_jit: Fix missing newline in pr_err messages - wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() - r8152: fix incorrect register write to USB_UPHY_XTAL - [powerpc*] crash: fix backup region offset update to elfcorehdr - [powerpc*] crash: Update backup region offset in elfcorehdr on memory hotplug - macvlan: annotate data-races around port->bc_queue_len_used - bpf: fix end-of-list detection in cgroup_storage_get_next_key() - bpf: Fix stale offload->prog pointer after constant blinding - wifi: brcmfmac: Fix error pointer dereference - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() - wifi: ath10k: fix station lookup failure during disconnect - ACPI: AGDI: fix missing newline in error message - [arm64] kexec: Remove duplicate allocation for trans_pgd - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb - net: bcmgenet: add bcmgenet_has_* helpers - net: bcmgenet: move DESC_INDEX flow to ring 0 - net: bcmgenet: support reclaiming unsent Tx packets - net: bcmgenet: switch to use 64bit statistics - net: bcmgenet: fix racing timeout handler - eth: fbnic: Use wake instead of start - netfilter: xt_socket: enable defrag after all other checks - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - bpf: fix mm lifecycle in open-coded task_vma iterator - bpf: switch task_vma iterator from mmap_lock to per-VMA locks - bpf: return VMA snapshot from task_vma iterator - bpf: Fix RCU stall in bpf_fd_array_map_clear() - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf - bpf: Relax scalar id equivalence for state pruning - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars - net/sched: act_ct: Only release RCU read lock after ct_ft - net: airoha: Implement BQL support - net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() - bpf: Allow instructions with arena source and non-arena dest registers - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace - bpf: Fix OOB in pcpu_init_value - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 - net: phy: fix a return path in get_phy_c45_ids() - net/mlx5e: Fix features not applied during netdev registration - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec - net: phy: qcom: at803x: Use the correct bit to disable extended next page - ipv4: udp: fix typos in comments - ipv6: udp: fix typos in comments - udp: Force compute_score to always inline - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init(). - sctp: fix missing encap_port propagation for GSO fragments - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master - drm/komeda: fix integer overflow in AFBC framebuffer size check - ASoC: SOF: ipc3: Use standard dev_dbg API - ASoC: add symmetric_ prefix for dai->rate/channels/sample_bits - ASoC: soc-compress: use function to clear symmetric params - drm/sun4i: backend: fix error pointer dereference - ASoC: sti: Return errors from regmap_field_alloc() - ASoC: sti: use managed regmap_field allocations - dm cache: fix null-deref with concurrent writes in passthrough mode - dm cache: fix write path cache coherency in passthrough mode - dm cache: fix write hang in passthrough mode - dm cache policy smq: fix missing locks in invalidating cache blocks - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching - platform/chrome: chromeos_tbmc: Drop wakeup source on remove - PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs encoding - PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() - PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() - dm cache metadata: fix memory leak on metadata abort retry - dm log: fix out-of-bounds write due to region_count overflow - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check - spi: spi-nxp-fspi: enable runtime pm for fspi - spi: nxp-fspi: Use reinit_completion() for repeated operations - spi: fsl-qspi: Use reinit_completion() for repeated operations - media: i2c: og01a1b: Replace client->dev usage - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe - drm/v3d: Handle error from drm_sched_entity_init() - drm/sun4i: Fix resource leaks - drm/amdgpu: Add default case in DVI mode validation - dm init: ensure device probing has finished in dm-mod.waitfor= - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break - crypto: tegra - finalize crypto req on error - crypto: tegra - Transfer HASH init function to crypto engine - crypto: tegra - Reserve keyslots to allocate dynamically - crypto: tegra - Disable softirqs before finalizing request - crypto: atmel - Use unregister_{aeads,ahashes,skciphers} - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs - padata: Remove cpu online check from cpu add and removal - padata: Put CPU offline callback in ONLINE section to allow failure - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation - drm/amdgpu/gfx10: look at the right prop for gfx queue priority - drm/amdgpu/gfx11: look at the right prop for gfx queue priority - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo - drm/imagination: Switch reset_reason fields from enum to u32 - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() - [arm64] drm/msm/dpu: fix mismatch between power and frequency - [arm64] drm/msm/dsi: add the missing parameter description - [arm64] drm/msm/dsi: fix bits_per_pclk - [arm64] drm/msm/dsi: fix hdisplay calculation for CMD mode panel - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first - drm/panel: simple: Correct G190EAN01 prepare timing - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board - drm/amdgpu: add amdgpu_device reference in ip block - drm/amdgpu: update the handle ptr in dump_ip_state - drm/amdgpu: update the handle ptr in early_init - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled - hwmon: Switch back to struct platform_driver::remove() - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') - [amd64] ASoC: SOF: Intel: hda: Place check before dereference - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/shrinker: Fix can_block() logic - [arm64] drm/msm/a6xx: Fix dumping A650+ debugbus blocks - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - pmdomain: ti: omap_prm: Fix a reference leak on device node - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() - PM: domains: De-constify fields in struct dev_pm_domain_attach_data - ASoC: fsl_micfil: Add access property for "VAD Detected" - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() - ASoC: fsl_micfil: Fix event generation in micfil_quality_set() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() - ASoC: fsl_easrc: Change the type for iec958 channel status controls - [amd64] iommu/amd: Remove protection_domain.dev_cnt variable - [amd64] iommu/amd: xarray to track protection_domain->iommu list - [amd64] iommu/amd: Do not detach devices in domain free path - [amd64] iommu/amd: Reduce domain lock scope in attach device path - [amd64] iommu/amd: Rearrange attach device code - [amd64] iommu/amd: Convert dev_data lock from spinlock to mutex - [amd64] iommu/amd: Introduce helper function to update 256-bit DTE - [amd64] iommu/amd: Introduce helper function get_dte256() - [amd64] iommu/amd: Fix clone_alias() to use the original device's devid - [arm64] ASoC: qcom: qdsp6: topology: check widget type before accessing data - crypto: qat - introduce fuse array - crypto: qat - disable 4xxx AE cluster when lead engine is fused off - crypto: qat - disable 420xx AE cluster when lead engine is fused off - crypto: qat - fix type mismatch in RAS sysfs show functions - crypto: qat - use swab32 macro - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] - PCI: Enable AtomicOps only if Root Port supports them - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found - Documentation: fix a hugetlbfs reservation statement - ALSA: scarlett2: Add missing sentinel initializer field - ASoC: SOF: compress: return the configured codec from get_params - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports - PCI: tegra194: Fix polling delay for L2 state - PCI: tegra194: Increase LTSSM poll time on surprise link down - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down - PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0() - PCI: tegra194: Don't force the device into the D0 state before L2 - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode - PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" - PCI: tegra194: Disable direct speed change for Endpoint mode - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode - PCI: tegra194: Allow system suspend when the Endpoint link is not up - PCI: tegra194: Free up Endpoint resources during remove() - PCI: tegra194: Use DWC IP core version - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on - spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback - ALSA: sc6000: Keep the programmed board state in card-private data - dm cache: fix missing return in invalidate_committed's error path - crypto: jitterentropy - replace long-held spinlock with mutex - ALSA: hda/realtek - fixed speaker no sound update - gfs2: Call unlock_new_inode before d_instantiate - net/socket.c: switch to CLASS(fd) - fdget(), trivial conversions - fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() - quota: Fix race of dquot_scan_active() with quota deactivation - gfs2: add some missing log locking - gfs2: prevent NULL pointer dereference during unmount - efi/capsule-loader: fix incorrect sizeof in phys array reallocation - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine - [arm64] dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon - memory: tegra124-emc: Fix dll_change check - memory: tegra30-emc: Fix dll_change check - [arm64] dts: imx8-apalis: Fix LEDs name collision - [arm64] dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) - iommufd: vfio compatibility extension check for noiommu mode - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7981b: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count - [arm64] dts: qcom: msm8953-xiaomi-vince: correct wled ovp value - [arm64] dts: qcom: msm8953-xiaomi-daisy: fix backlight - [arm64] dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi - [arm64] dts: rockchip: Correct Fan Supply for Gameforce Ace - [arm64] dts: rockchip: Correct Joystick Axes on Gameforce Ace - [arm64] soc: qcom: ocmem: make the core clock optional - [arm64] soc: qcom: ocmem: register reasons for probe deferrals - [arm64] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available - bus: rifsc: fix RIF configuration check for peripherals - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix GIC_ITS range length - [arm64] dts: qcom: sm8650: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix xo clock supply of platform SD host controller - [arm64] dts: qcom: sm8650: Fix xo clock supply of SD host controller - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - [arm64] dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins - [arm64] dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins - [arm64] dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label - [arm64] dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing - [arm64] dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit - [arm64] dts: lx2160a: remove duplicate pinmux nodes - [arm64] dts: lx2160a: rename pinmux nodes for readability - [arm64] dts: lx2160a: add sda gpio references for i2c bus recovery - [arm64] dts: lx2160a: change zeros to hexadecimal in pinmux nodes - [arm64] dts: lx2160a: complete pinmux for rcwsr12 configuration word - [arm64] dts: imx8qm-mek: switch Type-C connector power-role to dual - [arm64] dts: imx8qxp-mek: switch Type-C connector power-role to dual - soc/tegra: cbb: Set ERD on resume for err interrupt - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure - ocfs2/dlm: validate qr_numregions in dlm_match_regions() - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison - soc: qcom: llcc: fix v1 SB syndrome register offset - [arm64] soc: qcom: aoss: compare against normalized cooling state - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP - [arm64] xor: fix conflicting attributes for xor_block_template - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP - ocfs2: fix listxattr handling when the buffer is full - ocfs2: validate bg_bits during freefrag scan - ocfs2: validate group add input before caching - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function - soundwire: bus: demote UNATTACHED state warnings to dev_dbg() - dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - soundwire: cadence: Clear message complete before signaling waiting thread - tracing: Rebuild full_name on each hist_field_name() call - hte: tegra194: remove Kconfig dependency on Tegra194 SoC - remoteproc: xlnx: Fix sram property parsing - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: make asus_resume adhere to linux kernel coding standards - HID: asus: do not abort probe when not necessary - mtd: physmap_of_gemini: Fix disabled pinctrl state check - ima_fs: don't bother with removal of files in directory we'll be removing - ima_fs: get rid of lookup-by-dentry stuff - ima_fs: Correctly create securityfs files for unsupported hash algos - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range - mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions - cxl/pci: Check memdev driver binding status in cxl_reset_done() - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() - ext4: fix possible null-ptr-deref in mbt_kunit_exit() - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check - bpf, sockmap: Fix af_unix iter deadlock - bpf, sockmap: Fix af_unix null-ptr-deref in proto update - bpf, sockmap: Take state lock for af_unix iter - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - bpf: Fix NULL deref in map_kptr_match_type for scalar regs - bpf: allow UTF-8 literals in bpf_bprintf_prepare() - bpf: Validate node_id in arena_alloc_pages() - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT - pinctrl: pinctrl-pic32: Fix resource leak - pinctrl: cy8c95x0: remove duplicate error message - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() - pinctrl: cy8c95x0: Avoid returning positive values to user space - perf branch: Avoid incrementing NULL - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace - pinctrl: realtek: Fix function signature for config argument - pinctrl: abx500: Fix type of 'argument' variable - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers - perf lock: Fix option value type in parse_max_stack - perf stat: Fix opt->value type for parse_cache_level - perf tools: Fix module symbol resolution for non-zero .text sh_addr - perf expr: Return -EINVAL for syntax error in expr__find_ids() - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure - ipmi: ssif_bmc: fix message desynchronization after truncated response - ipmi: ssif_bmc: change log level to dbg in irq callback - perf evsel: Add alternate_hw_config and use in evsel__match - perf tool_pmu: Factor tool events into their own PMU - perf python: Add parse_events function - perf cgroup: Update metric leader in evlist__expand_cgroup - perf maps: Fix copy_from that can break sorted by name order - perf util: Kill die() prototype, dead for a long time - reset: replace boolean parameters with flags parameter - reset: Add devres helpers to request pre-deasserted reset controls - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status - backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() - platform/surface: surfacepro3_button: Drop wakeup source on remove - leds: lgm-sso: Remove duplicate assignments for priv->mmap - tty: hvc_iucv: fix off-by-one in number of supported devices - platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - [amd64] platform/x86: asus-wmi: adjust screenpad power/brightness handling - [amd64] platform/x86: asus-wmi: fix screenpad brightness range - tty: serial: ip22zilog: Fix section mispatch warning - fs/ntfs3: terminate the cached volume label after UTF-8 conversion - [amd64] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - [amd64] platform/x86: dell-wmi-sysman: bound enumeration string aggregation - RDMA/core: Prefer NLA_NUL_STRING - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source - scsi: sg: Fix sysctl sg-big-buff register during sg_init() - scsi: sg: Resolve soft lockup issue when opening /dev/sgX - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting - scsi: target: core: Fix integer overflow in UNMAP bounds check - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Use retention for USB power domains - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - clk: imx8mq: Correct the CSI PHY sels - [amd64] x86/um/vdso: Drop VDSO64-y from Makefile - clk: qoriq: avoid format string warning - clk: xgene: Fix mapping leak in xgene_pllclk_init() - dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets - clk: qcom: dispcc-sc7180: Add missing MDSS resets - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON - clk: visconti: pll: initialize clk_init_data to zero - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() - [amd64] drm/i915: Relocate the SKL wm sanitation code - [amd64] drm/i915/wm: Verify the correct plane DDB entry - crypto: sa2ul - Fix AEAD fallback algorithm names - crypto: ccp - copy IV using skcipher ivsize - erofs: add encoded extent on-disk definition - erofs: do sanity check on m->type in z_erofs_load_compact_lcluster() - erofs: avoid infinite loops due to corrupted subpage compact indexes (CVE-2025-68251) - erofs: unify lcn as u64 for 32-bit platforms - [arm64] dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT - PCMCIA: Fix garbled log messages for KERN_CONT - [arm64] dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT - [arm64] dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names - net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir - macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: fix IPv6 route referencing IPv4 nexthop - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch - tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE - tcp: annotate data-races around tp->bytes_sent - tcp: annotate data-races around tp->bytes_retrans - tcp: annotate data-races around tp->dsack_dups - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - tcp: annotate data-races around tp->plb_rehash - ice: update PCS latency settings for E825 10G/25Gb modes - ice: Remove jumbo_remove step from TX path - ice: fix double-free of tx_buf skb - ice: fix ICE_AQ_LINK_SPEED_M for 200G - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks - pppoe: drop PFC frames - net/mlx5: Fix HCA caps leak on notifier init failure - openvswitch: cap upcall PID array size and pre-size vport replies - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO - netfilter: conntrack: remove sprintf usage - netfilter: xtables: restrict several matches to inet family - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check - slip: reject VJ receive packets on instances with no rstate array - slip: bound decode() reads against the compressed packet length - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - pwm: atmel-tcb: Cache clock rates and mark chip as atomic - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() - ksmbd: destroy async_ida in ksmbd_conn_free() - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open - ksmbd: scope conn->binding slowpath to bound sessions only - net/rds: zero per-item info buffer before handing it to visitors - ice: fix timestamp interrupt configuration for E825C - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - net: dsa: realtek: rtl8365mb: fix mode mask calculation - net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() - virtio_net: Split struct virtio_net_rss_config - virtio_net: Fix endian with virtio_net_ctrl_rss - virtio_net: Use new RSS config structs - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() - rtc: abx80x: Disable alarm feature if no interrupt attached - kbuild: builddeb - avoid recompiles for non-cross-compiles - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case - mailbox: mailbox-test: free channels on probe error - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array - mailbox: mailbox-test: don't free the reused channel - mailbox: mailbox-test: initialize struct earlier - mailbox: mailbox-test: make data_ready a per-instance variable - fsnotify: fix inode reference leak in fsnotify_recalc_mask() - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - cgroup: Increment nr_dying_subsys_* from rmdir context - tracing: branch: Fix inverted check on stat tracer registration - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers - netfilter: arp_tables: fix IEEE1394 ARP payload parsing - nvme-pci: fix missed admin queue sq doorbell write - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG - drm/amdgpu: fix spelling typos - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching - netfilter: nf_conntrack_sip: don't use simple_strtoul - [amd64] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ - drm/sysfb: ofdrm: fix PCI device reference leaks - arm64/scs: Fix potential sign extension issue of advance_loc4 - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets - net/sched: netem: only reseed PRNG when seed is explicitly provided - net/sched: netem: validate slot configuration - net/sched: netem: fix slot delay calculation overflow - net/sched: netem: check for negative latency and jitter - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - NFC: trf7970a: Ignore antenna noise when checking for RF field - net/sched: taprio: fix NULL pointer dereference in class dump - neigh: let neigh_xmit take skb ownership - tcp: make probe0 timer handle expired user timeout - net, treewide: define and use MAC_ADDR_STR_LEN - netconsole: allow selection of egress interface via MAC address - netpoll: Extract carrier wait function - netpoll: extract IPv4 address retrieval into helper function - netpoll: fix IPv6 local-address corruption - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams - sched/fair: Clear rel_deadline when initializing forked entities - net: mctp i2c: check length before marking flow active - net: phy: dp83869: fix setting CLK_O_SEL field. - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring - ASoC: codecs: ab8500: Fix casting of private data - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - netconsole: propagate device name truncation in dev_name_store() - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 - ALSA: hda/conexant: Fix missing error check for jack detection - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - drm/xe/debugfs: Correct printing of register whitelist ranges - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() - drm/xe/gsc: Fix BO leak on error in query_compatibility_version() - page_pool: Set `dma_sync` to false for devmem memory provider - net: page_pool: create hooks for custom memory providers - page_pool: fix memory-provider leak in page_pool_create_percpu() error path - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING - iavf: stop removing VLAN filters from PF on interface down - iavf: wait for PF confirmation before removing VLAN filters - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler - ice: fix NULL pointer dereference in ice_reset_all_vfs() - net: tls: fix strparser anchor skb leak on offload RX setup failure - sfc: fix error code in efx_devlink_info_running_versions() - net/sched: cls_flower: revert unintended changes - [arm64] Reserve an extra page for early kernel mapping - smb: client: correctly handle ErrorContextData as a flexible array - smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613) - LoongArch: KVM: Compile switch.S directly into the kernel - ntfs: ->d_compare() must not block - PCI: Initialize temporary device in new_id_store() - net: bcmgenet: Initialize u64 stats seq counter - net: bcmgenet: fix leaking free_bds - [amd64] iommu/amd: Reorder attach device code - [amd64] iommu/amd: Put list_add/del(dev_data) back under the domain->lock - perf tool_pmu: Fix aggregation on duration_time - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - netpoll: Extract IPv6 address retrieval function - netpoll: pass buffer size to egress_dev() to avoid MAC truncation - page_pool: fix incorrect mp_ops error handling - crypto: af_alg - Cap AEAD AD length to 0x80000000 - i40e: Cleanup PTP pins on probe failure - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path - netfilter: nf_conntrack_sip: get helper before allocating expectation - audit: fix incorrect inheritable capability in CAPSET records - Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" - netfilter: nft_ct: fix missing expect put in obj eval - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic - [amd64] KVM: x86: Fix Xen hypercall tracepoint argument assignment - netfilter: nf_tables: unconditionally bump set->nelems before insertion (CVE-2026-23272) - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands - smb/client: fix possible infinite loop and oob read in symlink_data() - [amd64] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans - ALSA: usb-audio: Bound MIDI endpoint descriptor scans - ceph: fix a buffer leak in __ceph_setxattr() - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - [powerpc*] warp: Fix error handling in pika_dtm_thread - netfs: fix error handling in netfs_extract_user_iter() - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining - libceph: Fix potential out-of-bounds access in osdmap_decode() - libceph: Fix potential null-ptr-deref in decode_choose_args() - libceph: Fix potential out-of-bounds access in crush_decode() - libceph: handle rbtree insertion error in decode_choose_args() - [amd64] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [amd64] drm/i915: skip __i915_request_skip() for already signaled requests - drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - drm/xe/dma-buf: handle empty bo and UAF races - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - drm/gma500/oaktrail_lvds: fix hang on init failure - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init - iommufd: Fix return value of iommufd_fault_fops_write() - eventfs: Use list_add_tail_rcu() for SRCU-protected children list - drm/v3d: Reject empty multisync extension to prevent infinite loop - btrfs: use inode already stored in local variable at btrfs_rmdir() - btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() - btrfs: fix missing last_unlink_trans update when removing a directory - smb: client: Use FullSessionKey for AES-256 encryption key derivation - btrfs: do not mark inode incompressible after inline attempt fails - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() - sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new - mptcp: pm: prio: skip closed subflows - mptcp: drop __mptcp_fastopen_gen_msk_ackseq() - mptcp: fix rx timestamp corruption on fastopen - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix false alarm of lockdep on cp_global_sem lock - spi: sifive: Simplify clock handling with devm_clk_get_enabled() - spi: sifive: fix controller deregistration - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - netfs: Fix potential uninitialised var in netfs_extract_user_iter() https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.92 - mptcp: sync the msk->sndbuf at accept() time - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount (CVE-2026-46158) - mptcp: pm: ADD_ADDR rtx: free sk if last (CVE-2026-46170) - ksmbd: validate owner of durable handle on reconnect (CVE-2026-31717) - drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() (CVE-2026-46216) - [s390x] debug: Reject zero-length input before trimming a newline - Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" - Revert "perf tool_pmu: Fix aggregation on duration_time" - Revert "perf python: Add parse_events function" - Revert "perf tool_pmu: Factor tool events into their own PMU" - bridge: mrp: reject zero test interval to avoid OOM panic (CVE-2026-31420) - spi: spi-dw-dma: fix print error log when wait finish transaction (CVE-2026-31560) - Revert "x86/vdso: Fix output operand size of RDPID" - sched/deadline: Less agressive dl_server handling - sched/deadline: Fix dl_server_stopped() - sched/deadline: Fix dl_server getting stuck - sched/deadline: Fix dl_server behaviour - sched/deadline: Stop dl_server before CPU goes offline - ksmbd: close durable scavenger races against m_fp_list lookups - af_unix: Give up GC if MSG_PEEK intervened. (CVE-2026-23394) - drm/imagination: Synchronize interrupts before suspending the GPU (CVE-2026-23469) - ata: libata-scsi: improve readability of ata_scsi_qc_issue() - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS - ata: libata-scsi: do not needlessly defer commands when using PMP with FBS - perf parse-events: Expose/rename config_term_name - Revert "ice: fix double-free of tx_buf skb" - Revert "ice: Remove jumbo_remove step from TX path" - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 - net/mlx5e: Trigger neighbor resolution for unresolved destinations - net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init - [amd64] x86/fgraph: Fix return_to_handler regs.rsp value - [amd64] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set - [riscv64] fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS - [riscv64] fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler (CVE-2025-22069) - hwmon: (pmbus/core) Protect regulator operations with mutex - [arm64] Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL - sysfs: don't remove existing directory on update failure - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() - ksmbd: fix null pointer dereference in compare_guid_key() - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow - ksmbd: validate SID in parent security descriptor during ACL inheritance - smb: client: require net admin for CIFS SWN netlink - smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() - smb: client: use data_len for SMB2 READ encrypted folioq copy - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX - ALSA: ua101: Reject too-short USB descriptors - ALSA: pcm: Don't setup bogus iov_iter for silencing - ALSA: asihpi: Fix potential OOB array access at reading cache - efi: Allocate runtime workqueue before ACPI init - io_uring/waitid: clear waitid info before copying it to userspace - drivers/base/memory: fix memory block reference leak in poison accounting - ipv6: ioam: refresh hdr pointer before ioam6_event() - mm/memory_hotplug: fix memory block reference leak on remove - net: wwan: iosm: fix potential memory leaks in ipc_imem_init() - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer - Bluetooth: MGMT: validate Add Extended Advertising Data length - Bluetooth: serialize accept_q access - phonet/pep: disable BH around forwarded sk_receive_skb() - net: bcmgenet: keep RBUF EEE/PM disabled - net: ifb: report ethtool stats over num_tx_queues - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() - netfilter: ip6t_hbh: reject oversized option lists - netfilter: nf_queue: hold bridge skb->dev while queued - netfilter: ipset: stop hash:* range iteration at end - netfilter: nft_inner: Fix IPv6 inner_thoff desync - sched_ext: Fix missing warning in scx_set_task_state() default case - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path - cgroup/cpuset: Reset DL migration state on can_attach() failure - fs/ntfs3: handle attr_set_size() errors when truncating files - l2tp: use list_del_rcu in l2tp_session_unhash - qed: fix double free in qed_cxt_tables_alloc() - ring-buffer: Fix reporting of missed events in iterator - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() - vsock/vmci: fix UAF when peer resets connection during handshake - vsock/virtio: reset connection on receiving queue overflow - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - rbd: eliminate a race in lock_dwork draining on unmap - lsm: hold cred_guard_mutex for lsm_set_self_attr() - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index - ice: fix setting promisc mode while adding VID filter - ice: restore PTP Rx timestamp config after ethtool set-channels - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - af_unix: Fix UAF read of tail->len in unix_stream_data_wait() - wifi: mac80211: consume only present negotiated TTLM maps - cifs: Fix busy dentry used after unmounting - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [arm64] probes: Handle probes on hinted conditional branch instructions - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits - [arm64] KVM: arm64: vgic: Free private_irqs when init fails after allocation - [riscv64] kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe - spi: qup: fix error pointer deref after DMA setup failure - [arm64] phy: tegra: xusb: Fix per-pad high-speed termination calibration - scsi: isci: Fix use-after-free in device removal path - spi: ep93xx: fix error pointer deref after DMA setup failure - spi: sprd: fix error pointer deref after DMA setup failure - spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - device property: set fwnode->secondary to NULL in fwnode_init() - drm/virtio: use uninterruptible resv lock for plane updates - drm/amdgpu/vpe: Force collaborate sync after TRAP - drm/bridge: it66121: acquire reset GPIO in probe - drm/bridge: megachips: remove bridge when irq request fails - drm/amd/display: Fix integer overflow in bios_get_image() - drm/amd/display: Validate GPIO pin LUT table size before iterating - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown - batman-adv: dat: handle forward allocation error - batman-adv: fix fragment reassembly length accounting - batman-adv: fix tp_meter counter underflow during shutdown - batman-adv: frag: disallow unicast fragment in fragment - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock - hwmon: (pmbus/adm1266) reject implausible blackbox record_count - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors - [arm64] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume - HID: uclogic: Fix regression of input name assignment - [riscv64] mm: Fixup no5lvl failure when vaddr is invalid - [arm64] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 - ALSA: hda: cs35l56: Put ACPI device after setting companion - ALSA: hda: cs35l41: Put ACPI device on missing physical node - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - netfilter: x_tables: unregister the templates first - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() - tcp: Fix imbalanced icsk_accept_queue count. - ice: fix setting RSS VSI hash for E830 - ice: fix locking in ice_dcb_rebuild() - net: lan966x: avoid unregistering netdev on register failure - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - NFSD: Fix infinite loop in layout state revocation - irqchip/ath79-cpu: Remove unused function - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation - nsfs: fix wrong error code returned for pidns ioctls - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT - zonefs: handle integer overflow in zonefs_fname_to_fno - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). - [powerpc*] fix dead default for GUEST_STATE_BUFFER_TEST - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call - netfs: Fix overrun check in netfs_extract_user_iter() - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone - netfs: Defer the emission of trace_netfs_folio() - netfs: Fix streaming write being overwritten - netfs: Fix potential deadlock in write-through mode - netfs: Fix write streaming disablement if fd open O_RDWR - netfs: Fix early put of sink folio in netfs_read_gaps() - netfs: Fix partial invalidation of streaming-write folio - netfs: Fix a few minor bugs in netfs_page_mkwrite() - netfs: Remove unnecessary references to pages - netfs: Fix folio->private handling in netfs_perform_write() - net: ethernet: cortina: Make RX SKB per-port - net: ethernet: cortina: Drop half-assembled SKB - net: ethernet: cortina: Carry over frag counter - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference - wifi: ath11k: fix error path leaks in some WMI WOW calls - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() - wifi: ath10k: skip WMI and beacon transmission when device is wedged - blk-integrity: remove seed for user mapped buffers - block: don't overwrite bip_vcnt in bio_integrity_copy_user() - block: recompute nr_integrity_segments in blk_insert_cloned_request - HID: quirks: really enable the intended work around for appledisplay - block: modify bio_integrity_map_user to accept iov_iter as argument - block: drop direction param from bio_integrity_copy_user() - blk-integrity: use simpler alignment check - blk-integrity: enable p2p source and destination - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() - accel/qaic: Add overflow check to remap_pfn_range during mmap - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - [arm64] drm/msm/dsi: don't dump registers past the mapped region - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN - [powerpc*] time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - net: phy: DP83TC811: add reading of abilities - [amd64] x86/xen: Fix xen_e820_swap_entry_with_ram() - tls: Preserve sk_err across recvmsg() when data has been copied - net/mlx5: Do not restore destination-less TC rules - scsi: sd: Fix return code handling in sd_spinup_disk() - ALSA: scarlett2: Add missing error check when initialise Autogain Status - io_uring/net: punt IORING_OP_BIND async if it needs file create - btrfs: fix squota accounting during enable generation - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions - drm/xe/gsc: Fix double-free of managed BO in error path - drm/xe/vf: Fix signature of print functions - drm/xe/pf: Fix CFI failure in debugfs access - wifi: ath11k: fix peer resolution on rx path when peer_id=0 - ice: ptp: serialize E825 PHY timer start with PTP lock - [amd64] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP - [arm64] net: dsa: mt7530: fix FDB entries not aging out with short timeout - [arm64] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer - platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 - [amd64] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL - [amd64] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL - RDMA/rtrs: Fix use-after-free in path file creation cleanup - net: bridge: Flush multicast groups when snooping is disabled - bridge: mcast: Fix a possible use-after-free when removing a bridge port - pds_core: fix error handling in pdsc_devcmd_wait - pds_core: fix debugfs_lookup dentry leak and error handling - wifi: mac80211: fix MLE defragmentation - ALSA: seq: Serialize UMP output teardown with event_input - tracing: Avoid NULL return from hist_field_name() on truncation - Bluetooth: btmtk: fix urb->setup_packet leak in error paths - net: ag71xx: check error for platform_get_irq - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() - drm/xe/oa: Fix exec_queue leak on width check in stream open - [arm64] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs - net: mana: validate rx_req_idx to prevent out-of-bounds array access - pds_core: ensure null-termination for firmware version strings - net: gro: don't merge zcopy skbs - landlock: Fix TCP handling of short AF_UNSPEC addresses - block: make bio_integrity_map_user() static inline - security/keys: fix missed RCU read section on lookup https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.93 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - [arm64] drm/v3d: Fix use-after-free of CPU job query arrays on error path - [arm64] drm/v3d: Release indirect CSD GEM reference on CPU job free - net/sched: cls_fw: fix NULL dereference of "old" filters before change() - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930) - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - bcache: fix uninitialized closure object - net: cpsw_new: Fix potential unregister of netdev that has not been registered yet (CVE-2026-43219) - [arm64] Introduce esr_is_ubsan_brk() - [arm64] debug: clean up single_step_handler logic - [arm64] refactor aarch32_break_handler() - [arm64] debug: call software breakpoint handlers statically - [arm64] debug: call step handlers statically - [arm64] debug: remove break/step handler registration infrastructure - [arm64] entry: Add entry and exit functions for debug exceptions - [arm64] debug: split hardware breakpoint exception entry - [arm64] debug: refactor reinstall_suspended_bps() - [arm64] debug: split single stepping exception entry - [arm64] debug: split hardware watchpoint exception entry - [arm64] debug: split brk64 exception entry - [arm64] debug: split bkpt32 exception entry - [arm64] debug: remove debug exception registration infrastructure - [arm64] debug: always unmask interrupts in el0_softstp() - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - vsock: keep poll shutdown state consistent - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - [s390x] net/iucv: fix locking in .getsockopt - scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - ALSA: pcm: oss: Fix setup list UAF on proc write error - [amd64] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - net: hsr: fix potential OOB access in supervision frame handling - [amd64] accel/ivpu: prevent uninitialized data bug in debugfs - gpio: mxc: fix irq_high handling - net: Avoid checksumming unreadable skb tail on trim - ethtool: rss: fix hkey leak when indir_size is 0 - ethtool: module: avoid leaking a netdev ref on module flash errors - ethtool: module: check fw_flash_in_progress under rtnl_lock - ethtool: module: fix cleanup if socket used for flashing multiple devices - ethtool: cmis: require exact CDB reply length - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl - net: ethtool: Add new parameters and a function to support EPL - net: ethtool: Add support for writing firmware blocks using EPL payload - ethtool: cmis: validate start_cmd_payload_size from module - ethtool: cmis: validate fw->size against start_cmd_payload_size - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - ASoC: codecs: simple-mux: Fix enum control bounds check - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - bonding: refuse to enslave CAN devices - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error - ethtool: pse-pd: fix missing ethnl_ops_complete() - ethtool: strset: fix header attribute index in ethnl_req_get_phydev() - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback - ethtool: eeprom: add more safeties to EEPROM Netlink fallback - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" - net/sched: fix packet loop on netem when duplicate is on - net/sched: act_mirred: Move the recursion counter struct netdev_xmit - net/sched: act_mirred: add loop detection - net: Introduce skb tc depth field to track packet loops - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop - net/sched: act_mirred: Fix return code in early mirred redirect error paths - net/handshake: Use spin_lock_bh for hn_lock - nvme-tcp: store negative errno in queue->tls_err - net/handshake: Pass negative errno through handshake_complete() - remove pointless includes of - net/handshake: Take a long-lived file reference at submit - net/handshake: Drain pending requests at net namespace exit - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close - [arm64,armhf] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() - [amd64,arm64] net: mana: Add NULL guards in teardown path to prevent panic on attach failure - sctp: fix race between sctp_wait_for_connect and peeloff - ipv6: fix possible infinite loop in rt6_fill_node() - ipv6: fix possible infinite loop in fib6_select_path() - net: skbuff: fix pskb_carve leaking zcopy pages - perf: Fix dangling cgroup pointer in cpuctx - batman-adv: v: stop OGMv2 on disabled interface - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: tt: reject oversized local TVLV buffers - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: avoid role confusion in tp_list - [s390x] cio: Restore GFP_DMA for CHSC allocation - batman-adv: tp_meter: directly shut down timer on cleanup - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303) - media: rc: fix race between unregister and urb/irq callbacks - media: rc: ttusbir: fix inverted error logic - inet: frags: add inet_frag_queue_flush() - inet: frags: flush pending skbs in fqdir_pre_exit() (CVE-2025-68768) - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: introduce hid_safe_input_report() - HID: core: Fix size_t specifier in hid_report_raw_event() - [amd64] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register - [amd64] drm/i915/psr: Read Intel DPCD workaround register - drm/dp: Add eDP 1.5 bit definition - [amd64] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used - [arm64] io: Rename ioremap_prot() to __ioremap_prot() - [arm64] io: Extract user memory type in ioremap_prot() (CVE-2026-23346) - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X - batman-adv: tt: prevent TVLV entry number overflow - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers - usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT - usb: typec: ucsi: validate connector number in ucsi_connector_change() - USB: serial: safe_serial: fix memory corruption with small endpoint - media: rc: igorplugusb: fix control request setup packet - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range - auxdisplay: line-display: fix OOB read on zero-length message_store() - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - Bluetooth: HIDP: fix missing length checks in hidp_input_report() - Bluetooth: ISO: fix UAF in iso_recv_frame - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync - Input: xpad - fix out-of-bounds access for Share button - parport: Fix race between port and client registration (Closes: #1130365) - USB: cdc-acm: Fix bit overlap and move quirk definitions to header - [arm64] KVM: arm64: PMU: Preserve AArch32 counter low bits - [amd64] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC - [amd64] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use - [amd64] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests - [amd64] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - [amd64] KVM: SEV: Compute the correct max length of the in-GHCB scratch area - [amd64] KVM: SEV: Check PSC request indices against the actual size of the buffer - [amd64] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer - [amd64] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux - iio: adc: npcm: fix unbalanced clk_disable_unprepare() - iio: dac: max5821: fix return value check in powerdown sync - iio: dac: ad5686: fix input raw value check - iio: dac: ad5686: acquire lock when doing powerdown control - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: gyro: adis16260: fix division by zero in write_raw - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() - USB: serial: omninet: fix memory corruption with small endpoint - usb: cdns3: gadget: fix request skipping after clearing halt - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - wireguard: send: append trailer after expanding head - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ipv6: exthdrs: refresh nh after handling HAO option - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - xfrm: input: hold netns during deferred transport reinjection - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - net: skbuff: fix missing zerocopy reference in pskb_carve helpers - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: xpad - add "Nova 2 Lite" from GameSir - Input: xpad - add support for ASUS ROG RAIKIRI II - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [amd64] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [amd64] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - counter: Fix refcount leak in counter_alloc() error path - tty: serial: pch_uart: add check for dma_alloc_coherent() - tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - usb: typec: tcpm: improve handling of DISCOVER_MODES failures - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - usb: gadget: f_fs: copy only received bytes on short ep0 read - usb: gadget: f_fs: serialize DMABUF cancel against request completion - [amd64] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - [amd64] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - scsi: target: iscsi: Validate CHAP_R length before base64 decode - drm/hyperv: validate resolution_count and fix WIN8 fallback - drm/hyperv: validate VMBus packet size in receive callback - [amd64] drm/i915: Fix potential UAF in TTM object purge - drm/amd/pm/si: Disregard vblank time when no displays are connected - serial: altera_jtaguart: handle uart_add_one_port() failures - serial: qcom-geni: fix UART_RX_PAR_EN bit position - serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ - serial: sh-sci: fix memory region release in error path - serial: zs: Fix swapped RI/DSR modem line transition counting - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger - drm/amdkfd: Check for pdd drm file first in CRIU restore path - serial: dz: Fix bootconsole message clobbering at chip reset - serial: dz: Fix bootconsole handover lockup - serial: dz: Convert to use a platform device - serial: zs: Fix bootconsole handover lockup - serial: zs: Switch to using channel reset - serial: zs: Convert to use a platform device - USB: serial: cypress_m8: fix memory corruption with small endpoint - USB: serial: digi_acceleport: fix memory corruption with small endpoints - xhci: tegra: Fix ghost USB device on dual-role port unplug - iommu: Skip PASID validation for devices without PASID capability - [amd64] x86/boot: Disable stack protector for early boot code - [amd64] x86/kexec: Disable KCOV instrumentation after load_segments() (CVE-2026-43331) - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg - rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer - serdev: Provide a bustype shutdown function - Bluetooth: hci_qca: Migrate to serdev specific shutdown function - Bluetooth: hci_qca: Convert timeout from jiffies to ms - ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes - ALSA: scarlett2: Allow flash writes ending at segment boundary - mm/memory: fix spurious warning when unmapping device-private/exclusive pages - [amd64] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery - net: hsr: defer node table free until after RCU readers - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient - ice: fix VF queue configuration with low MTU values - ring-buffer: Flush and stop persistent ring buffer on panic - mptcp: cleanup fallback dummy mapping generation - mptcp: reset rcv wnd on disconnect - [arm64] tlb: Flush walk cache when unsharing PMD tables - [arm64] octeontx2-pf: avoid double free of pool->stack on AQ init failure - mptcp: introduce the mptcp_init_skb helper - mptcp: handle first subflow closing consistently - mptcp: do not drop partial packets - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() - iio: chemical: scd30: Use guard(mutex) to allow early returns - iio: chemical: scd30: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - ALSA: firewire-motu: Protect register DSP event queue positions - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths - usb: musb: omap2430: Fix use-after-free in omap2430_probe() - usb: typec: ucsi: Check if power role change actually happened before handling - [amd64] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - [amd64] x86/alternatives: Rename 'apply_relocation()' to 'text_poke_apply_relocation()' - [amd64] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock - mm: perform all memfd seal checks in a single place - mm/memfd: fix spelling and grammatical issues - memfd: deny writeable mappings when implying SEAL_WRITE - usb: core: Fix SuperSpeed root hub wMaxPacketSize - ethtool: cmis_cdb: Fix incorrect read / write length extension - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow - [arm64] KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CVE-2026-46316) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.94 - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - USB: serial: mct_u232: fix memory corruption with small endpoint - [armhf] group is_permission_fault() with is_translation_fault() - [armhf] allow __do_kernel_fault() to report execution of memory faults - [armhf] fix hash_name() fault - [armhf] fix branch predictor hardening - net: phy: micrel: fix LAN8814 QSGMII soft reset - wifi: remove zero-length arrays - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - ipv6: mcast: Fix use-after-free when processing MLD queries - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS - [arm64] tee: optee: prevent use-after-free when the client exits before the supplicant - [arm64]soc: qcom: ice: Return -ENODEV if the ICE platform device is not found - erofs: add sysfs node to drop internal caches - erofs: tidy up synchronous decompression - erofs: fix use-after-free on sbi->sync_decompress - ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit - netfilter: synproxy: add mutex to guard hook reference counting - netfilter: conntrack_irc: fix possible out-of-bounds read - netfilter: nft_ct: bail out on template ct in get eval - netfilter: bridge: make ebt_snat ARP rewrite writable - dm cache policy smq: check allocation under invalidate lock - net/sched: act_api: use RCU with deferred freeing for action lifecycle - 6lowpan: fix off-by-one in multicast context address compression - l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() - devlink: Release nested relation on devlink free - [arm64] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c - wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap - pcnet32: stop holding device spin lock during napi_complete_done - net: Annotate sk->sk_write_space() for UDP SOCKMAP. - hsr: Remove WARN_ONCE() in hsr_addr_is_self(). - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - net: fec: fix pinctrl default state restore order on resume - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() - Bluetooth: MGMT: validate advertising TLV before type checks - Bluetooth: RFCOMM: validate skb length in MCC handlers - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling - Bluetooth: bnep: reject short frames before parsing - Bluetooth: fix memory leak in error path of hci_alloc_dev() - Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync - Bluetooth: ISO: Fix not using bc_sid as advertisement SID - Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls - Bluetooth: MGMT: Fix backward compatibility with userspace - [arm64] octeontx2-pf: Fix NDC sync operation errors - [arm64] octeontx2-af: Fix initialization of mcam's entry2target_pffunc field - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options - ptp: vclock: Switch from RCU to SRCU - net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown - net_sched: act_pedit: use RCU in tcf_pedit_dump() - net/sched: fix pedit partial COW leading to page cache corruption (CVE-2026-46331) - [arm64] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow - vxlan: vnifilter: send notification on VNI add - vxlan: vnifilter: fix spurious notification on VNI update - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr - sctp: purge outqueue on stale COOKIE-ECHO handling - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams - ALSA: seq: dummy: fix UMP event stack overread - ima: kexec: skip IMA segment validation after kexec soft reboot - ima: kexec: move IMA log copy from kexec load to execute - spi: cadence-quadspi: fix unclocked access on unbind (CVE-2026-46203) - tools/rv: Fix cleanup after failed trace setup - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - iomap: don't revert iov_iter on partially completed buffered writes - dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() - netlabel: validate unlabeled address and mask attribute lengths - gpio: mvebu: fix NULL pointer dereference in suspend/resume - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls - tcp: restrict SO_ATTACH_FILTER to priv users - net: add pskb_may_pull() to skb_gro_receive_list() - net/mlx4: avoid GCC 10 __bad_copy_from() false positive - net: ibm: emac: Fix use-after-free during device removal - netdev: fix double-free in netdev_nl_bind_rx_doit() - net: phy: clean the sfp upstream if phy probing fails - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove - net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list - net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure - net/mlx5: Use effective affinity mask for IRQ selection - ipv6: sit: reload inner IPv6 header after GSO offloads - net: openvswitch: fix possible kfree_skb of ERR_PTR - r8152: handle the return value of usb_reset_device() - gpio: zynq: fix runtime PM leak on remove - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() - net: guard timestamp cmsgs to real error queue skbs - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: revalidate bridge ports - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister - netfilter: x_tables: avoid leaking percpu counter pointers - netfilter: nf_log: validate MAC header was set before dumping it - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag - [arm64,armhf] net: mvpp2: sync RX data at the hardware packet offset - [arm64,armhf] net: mvpp2: limit XDP frame size to the RX buffer - [arm64,armhf] net: mvpp2: Add metadata support for xdp mode - [arm64,armhf] net: mvpp2: refill RX buffers before XDP or skb use - [arm64,armhf] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS - ipv6: Fix a potential NPD in cleanup_prefix_route() - netfilter: ctnetlink: ensure safe access to master conntrack (CVE-2026-43116) - writeback: Avoid contention on wb->list_lock when switching inodes - writeback: Fix use after free in inode_switch_wbs_work_fn() - xfrm: hold device only for the asynchronous decryption - xfrm: hold dev ref until after transport_finish NF_HOOK (CVE-2026-31663) - [amd64] KVM: VMX: Update SVI during runtime APICv activation - [arm64] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked - clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs - [arm64] clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time - drm/virtio: Fix driver removal with disabled KMS - [arm64,armhf] drm/vc4: fix krealloc() memory leak - drm/xe: fix refcount leak in xe_range_fence_insert() - netfilter: nft_tunnel: fix use-after-free on object destroy - [arm64] tee: shm: fix shm leak in register_shm_helper() - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig - [arm64] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() - [amd64] accel/ivpu: Add bounds checks for firmware log indices - [amd64] accel/ivpu: Add buffer overflow check in MS get_info_ioctl - [amd64] accel/ivpu: Fix signed integer truncation in IPC receive - tracing/probes: Point the error offset correctly for eprobe argument error - mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation - KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying - [amd64] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA - [amd64] drm/i915/gem: Fix phys BO pread/pwrite with offset - pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL - xfrm: espintcp: do not reuse an in-progress partial send - USB: serial: io_ti: fix heap overflow in get_manuf_info() - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow - ALSA: timer: Forcibly close timer instances at closing - ALSA: timer: Fix UAF at snd_timer_user_params() - io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries - drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - mm/huge_memory: update file PMD counter before folio_put() - mm/damon/ops-common: call folio_test_lru() after folio_get() - RDMA/srp: bound SRP_RSP sense copy by the received length - zram: fix use-after-free in zram_bvec_write_partial() - udp: clear skb->dev before running a sockmap verdict - mptcp: fix retransmission loop when csum is enabled - mptcp: close TOCTOU race while computing rcv_wnd - mptcp: allow subflow rcv wnd to shrink - mptcp: sockopt: check timestamping ret value - mptcp: add-addr: always drop other suboptions - wifi: nl80211: reject oversized EMA RNR lists - vsock/vmci: fix sk_ack_backlog leak on failed handshake - timers/migration: Fix livelock in tmigr_handle_remote_up() - ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write - bnxt_en: Fix NULL pointer dereference - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN - inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush - pidfd: refuse access to tasks that have started exiting harder - fs/qnx6: fix pointer arithmetic in directory iteration - fuse: reject fuse_notify() pagecache ops on directories - i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() - i2c: stm32f7: fix timing computation ignoring i2c-analog-filter - i2c: tegra: Fix NOIRQ suspend/resume - Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates - misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - misc: fastrpc: fix use-after-free race in fastrpc_map_create - misc: fastrpc: fix DMA address corruption due to find_vma misuse - misc: fastrpc: Fix NULL pointer dereference in rpmsg callback - net/mlx5: Reorder completion before putting command entry in cmd_work_handler - net: bonding: fix NULL pointer dereference in bond_do_ioctl() - net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind - nvmem: core: fix use-after-free bugs in error paths - nvmem: layouts: onie-tlv: fix hang on unknown types - [arm64] octeontx2-af: fix memory leak in rvu_setup_hw_resources() - io_uring/kbuf: don't truncate end buffer for bundles - io_uring/wait: fix min_timeout behavior - mm/hugetlb: restore reservation on error in hugetlb folio copy paths - mmc: core: Fix host controller programming for fixed driver type - mmc: dw_mmc-rockchip: Add missing private data for very old controllers - mmc: litex_mmc: Set mandatory idle clocks before CMD0 - mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC - mmc: sdhci: add signal voltage switch in sdhci_resume_host - pmdomain: imx: fix OF node refcount - rtase: Avoid sleeping in get_stats64() - rtase: Reset TX subqueue when clearing TX ring - sctp: diag: reject stale associations in dump_one path - sctp: stream: fully roll back denied add-stream state - [amd64] thunderbolt: Reject zero-length property entries in validator - [amd64] thunderbolt: Bound root directory content to block size - [amd64] thunderbolt: Clamp XDomain response data copy to allocation size - [amd64] thunderbolt: Validate XDomain request packet size before type cast - [amd64] thunderbolt: Limit XDomain response copy to actual frame size - [arm64] slimbus: qcom-ngd-ctrl: fix OF node refcount - [arm64] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration - [arm64] slimbus: qcom-ngd-ctrl: Fix probe error path ordering - [arm64] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd - [arm64] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller - [arm64] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership - [arm64] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD - [arm64] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock - drm/amdkfd: fix NULL dereference in get_queue_ids() - drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 - drm/xe: Clear pending_disable before signaling suspend fence - [arm64,armhf] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups - drm/amdgpu: restart the CS if some parts of the VM are still invalidated - drm/amd/pm: fix smu13 power limit default/cap calculation - drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 - drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range - drm/amd/display: Bound VBIOS record-chain walk loops - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size - drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs - drm/amd/display: Use krealloc_array() in dal_vector_reserve() - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling - driver core: reject devices with unregistered buses - mailbox: Fix NULL message support in mbox_send_message() - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf - sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() - netfilter: nft_fib: fix stale stack leak via the OIFNAME register - mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison - RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper - RDMA/umem: Move umem dmabuf revoke logic into helper function - RDMA/umem: Add helpers for umem dmabuf revoke lock - RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - RDMA/umem: fix kernel-doc warnings - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G - mm/hugetlb: avoid false positive lockdep assertion - mptcp: fix missing wakeups in edge scenarios - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - vsock/virtio: fix potential unbounded skb queue - vsock/virtio: fix skb overhead accounting to preserve full buf_alloc - block: fix handling of dead zone write plugs - [arm64] cputype: Add NVIDIA Olympus definitions - [arm64] cputype: Add C1-Ultra definitions - [arm64] cputype: Add C1-Premium definitions - [arm64] errata: Mitigate TLBI errata on various Arm CPUs - [arm64] errata: Mitigate TLBI errata on NVIDIA Olympus CPU - [arm64] errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - net: introduce EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() - tcp: use EXPORT_IPV6_MOD[_GPL]() - tcp: secure_seq: add back ports to TS offset (CVE-2026-23247) - mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation - vsock/virtio: fix skb overhead overflow on 32-bit builds - netfilter: require Ethernet MAC header before using eth_hdr() . [ Salvatore Bonaccorso ] * [rt] Refresh "ARM: enable irq in translation/section permission fault" * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) linux (6.12.90-2) trixie-security; urgency=high . * smb: client: reject userspace cifs.spnego descriptions * net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) linux (6.12.90-2~bpo12+1) bookworm-backports; urgency=high . * Rebuild for bookworm-backports . linux (6.12.90-2) trixie-security; urgency=high . * smb: client: reject userspace cifs.spnego descriptions * net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) linux (6.12.90-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.89 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.90 - HID: playstation: Clamp num_touch_reports - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [arm64] dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux - [arm64] regulator: mt6357: fix OF node reference imbalance - [arm64,armhf] regulator: rk808: fix OF node reference imbalance - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap - [amd64] media: intel/ipu6: fix error pointer dereference - media: saa7164: add ioremap return checks and cleanups - spi: aspeed-smc: fix controller deregistration - [amd64] platform/x86: hp-wmi: Ignore backlight and FnLock events - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy - [arm64] drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() - [amd64] drm/i915/psr: Init variable to avoid early exit from et alignment loop - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. - drm/amdgpu: gate VM CPU HDP flush on reset lock - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x - drm/amdkfd: Add upper bound check for num_of_nodes - drm/amdgpu: Add bounds checking to ib_{get,set}_value - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB - drm/amdgpu/vce: Prevent partial address patches - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg - drm/amd/display: Change dither policy for 10 bpc output back to dithering - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() - drm/amdkfd: validate SVM ioctl nattr against buffer size - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() - drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() - drm/radeon: add missing revision check for CI - drm/amdgpu: zero-initialize GART table on allocation - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds - drm/amdkfd: Make all TLB-flushes heavy-weight - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - [arm64] dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL - batman-adv: fix integer overflow on buff_pos - batman-adv: reject new tp_meter sessions during teardown - batman-adv: stop caching unowned originator pointers in BAT IV - batman-adv: bla: prevent use-after-free when deleting claims - batman-adv: bla: only purge non-released claims - batman-adv: bla: put backbone reference on failed claim hash insert - usb: typec: tcpm: reset internal port states on soft reset AMS - usb: dwc3: Move GUID programming after PHY initialization - ALSA: hda: cs35l56: Propagate ASP TX source control errors - ALSA: misc: Use guard() for spin locks - ALSA: core: Serialize deferred fasync state checks - ALSA: seq: Notify client and port info changes - ALSA: seq: Fix UMP group 16 filtering - Bluetooth: hci_conn: fix potential UAF in create_big_sync - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration - [arm64,armhf] spi: tegra114: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - block: cleanup blkdev_report_zones() - block: reorganize struct blk_zone_wplug - block: fix zone write plug removal - tracefs: Fix default permissions not being applied on initial mount - fbcon: Avoid OOB font access if console rotation fails - mm/damon/core: disallow time-quota setting zero esz - mm/damon/core: implement damon_kdamond_pid() - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values - bonding: fix use-after-free due to enslave fail after slave array update (CVE-2026-23171) - io_uring/kbuf: support min length left for incremental buffers - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() - btrfs: fix double free in create_space_info_sub_group() error path - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak - tracing/probes: Limit size of event probe to 3K - batman-adv: stop tp_meter sessions during mesh teardown - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - vsock: fix buffer size clamping order - vsock/virtio: fix length and offset in tap skb for split packets - vsock/virtio: fix empty payload in tap skb for non-linear buffers - vsock/virtio: fix accept queue count leak on transport mismatch - drm/amdgpu/vcn3: Avoid overflow on msg bound check - drm/amdgpu/vcn4: Avoid overflow on msg bound check . [ Salvatore Bonaccorso ] * Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (Closes: #1136790) * net: skbuff: preserve shared-frag marker during coalescing (CVE-2026-46300) * net: skbuff: propagate shared-frag marker through frag-transfer helpers linux (6.12.90-1~bpo12+1) bookworm-backports; urgency=high . * Rebuild for bookworm-backports . linux (6.12.90-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.89 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.90 - HID: playstation: Clamp num_touch_reports - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [arm64] dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux - [arm64] regulator: mt6357: fix OF node reference imbalance - [arm64,armhf] regulator: rk808: fix OF node reference imbalance - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap - [amd64] media: intel/ipu6: fix error pointer dereference - media: saa7164: add ioremap return checks and cleanups - spi: aspeed-smc: fix controller deregistration - [amd64] platform/x86: hp-wmi: Ignore backlight and FnLock events - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy - [arm64] drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() - [amd64] drm/i915/psr: Init variable to avoid early exit from et alignment loop - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. - drm/amdgpu: gate VM CPU HDP flush on reset lock - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x - drm/amdkfd: Add upper bound check for num_of_nodes - drm/amdgpu: Add bounds checking to ib_{get,set}_value - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB - drm/amdgpu/vce: Prevent partial address patches - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg - drm/amd/display: Change dither policy for 10 bpc output back to dithering - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() - drm/amdkfd: validate SVM ioctl nattr against buffer size - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() - drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() - drm/radeon: add missing revision check for CI - drm/amdgpu: zero-initialize GART table on allocation - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds - drm/amdkfd: Make all TLB-flushes heavy-weight - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - [arm64] dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL - batman-adv: fix integer overflow on buff_pos - batman-adv: reject new tp_meter sessions during teardown - batman-adv: stop caching unowned originator pointers in BAT IV - batman-adv: bla: prevent use-after-free when deleting claims - batman-adv: bla: only purge non-released claims - batman-adv: bla: put backbone reference on failed claim hash insert - usb: typec: tcpm: reset internal port states on soft reset AMS - usb: dwc3: Move GUID programming after PHY initialization - ALSA: hda: cs35l56: Propagate ASP TX source control errors - ALSA: misc: Use guard() for spin locks - ALSA: core: Serialize deferred fasync state checks - ALSA: seq: Notify client and port info changes - ALSA: seq: Fix UMP group 16 filtering - Bluetooth: hci_conn: fix potential UAF in create_big_sync - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration - [arm64,armhf] spi: tegra114: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - block: cleanup blkdev_report_zones() - block: reorganize struct blk_zone_wplug - block: fix zone write plug removal - tracefs: Fix default permissions not being applied on initial mount - fbcon: Avoid OOB font access if console rotation fails - mm/damon/core: disallow time-quota setting zero esz - mm/damon/core: implement damon_kdamond_pid() - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values - bonding: fix use-after-free due to enslave fail after slave array update (CVE-2026-23171) - io_uring/kbuf: support min length left for incremental buffers - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() - btrfs: fix double free in create_space_info_sub_group() error path - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak - tracing/probes: Limit size of event probe to 3K - batman-adv: stop tp_meter sessions during mesh teardown - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - vsock: fix buffer size clamping order - vsock/virtio: fix length and offset in tap skb for split packets - vsock/virtio: fix empty payload in tap skb for non-linear buffers - vsock/virtio: fix accept queue count leak on transport mismatch - drm/amdgpu/vcn3: Avoid overflow on msg bound check - drm/amdgpu/vcn4: Avoid overflow on msg bound check . [ Salvatore Bonaccorso ] * Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (Closes: #1136790) * net: skbuff: preserve shared-frag marker during coalescing (CVE-2026-46300) * net: skbuff: propagate shared-frag marker through frag-transfer helpers linux (6.12.88-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic linux (6.12.88-1~bpo12+1) bookworm-backports; urgency=high . * Rebuild for bookworm-backports . linux (6.12.88-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic linux-signed-amd64 (6.12.94+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.94-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.91 - io_uring/kbuf: use mem_is_zero() - blk-cgroup: wait for blkcg cleanup before initializing new disk - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START - fs/mbcache: cancel shrink work before destroying the cache - md/raid1: fix the comparing region of interval tree - drbd: Balance RCU calls in drbd_adm_dump_devices() - loop: fix partition scan race between udev and loop_reread_partitions() - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() - pstore/ram: fix resource leak when ioremap() fails - md: wake raid456 reshape waiters before suspend - btrfs: pass struct btrfs_inode to clone_copy_inline_extent() - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit - [amd64] ACPI: x86: cmos_rtc: Clean up address space handler driver - [amd64] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver - devres: fix missing node debug info in devm_krealloc() - thermal/drivers/spear: Fix error condition for reading st,thermal-flags - debugfs: check for NULL pointer in debugfs_create_str() - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() - soundwire: debugfs: initialize firmware_file to empty string - PCI: use generic driver_override infrastructure - platform/wmi: use generic driver_override infrastructure - [s390x] cio: use generic driver_override infrastructure - bus: fsl-mc: use generic driver_override infrastructure - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter - hrtimers: Update the return type of enqueue_hrtimer() - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() - hrtimer: Reduce trace noise in hrtimer_start() - locking: Fix rwlock support in - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet - bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n - [s390x] bpf: Zero-extend bpf prog return values and kfunc arguments - params: Replace __modinit with __init_or_module - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control - wifi: mt76: mt7615: fix use_cts_prot support - wifi: mt76: mt7915: fix use_cts_prot support - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() - wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor - wifi: mt76: mt7921: Place upper limit on station AID - [arm64] cpufeature: Make PMUVer and PerfMon unsigned - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() - wifi: mt76: mt7921: fix 6GHz regulatory update on connection - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path - bpf: Fix variable length stack write over spilled pointers - bpf,arc_jit: Fix missing newline in pr_err messages - wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() - r8152: fix incorrect register write to USB_UPHY_XTAL - [powerpc*] crash: fix backup region offset update to elfcorehdr - [powerpc*] crash: Update backup region offset in elfcorehdr on memory hotplug - macvlan: annotate data-races around port->bc_queue_len_used - bpf: fix end-of-list detection in cgroup_storage_get_next_key() - bpf: Fix stale offload->prog pointer after constant blinding - wifi: brcmfmac: Fix error pointer dereference - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() - wifi: ath10k: fix station lookup failure during disconnect - ACPI: AGDI: fix missing newline in error message - [arm64] kexec: Remove duplicate allocation for trans_pgd - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb - net: bcmgenet: add bcmgenet_has_* helpers - net: bcmgenet: move DESC_INDEX flow to ring 0 - net: bcmgenet: support reclaiming unsent Tx packets - net: bcmgenet: switch to use 64bit statistics - net: bcmgenet: fix racing timeout handler - eth: fbnic: Use wake instead of start - netfilter: xt_socket: enable defrag after all other checks - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - bpf: fix mm lifecycle in open-coded task_vma iterator - bpf: switch task_vma iterator from mmap_lock to per-VMA locks - bpf: return VMA snapshot from task_vma iterator - bpf: Fix RCU stall in bpf_fd_array_map_clear() - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf - bpf: Relax scalar id equivalence for state pruning - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars - net/sched: act_ct: Only release RCU read lock after ct_ft - net: airoha: Implement BQL support - net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() - bpf: Allow instructions with arena source and non-arena dest registers - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace - bpf: Fix OOB in pcpu_init_value - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 - net: phy: fix a return path in get_phy_c45_ids() - net/mlx5e: Fix features not applied during netdev registration - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec - net: phy: qcom: at803x: Use the correct bit to disable extended next page - ipv4: udp: fix typos in comments - ipv6: udp: fix typos in comments - udp: Force compute_score to always inline - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init(). - sctp: fix missing encap_port propagation for GSO fragments - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master - drm/komeda: fix integer overflow in AFBC framebuffer size check - ASoC: SOF: ipc3: Use standard dev_dbg API - ASoC: add symmetric_ prefix for dai->rate/channels/sample_bits - ASoC: soc-compress: use function to clear symmetric params - drm/sun4i: backend: fix error pointer dereference - ASoC: sti: Return errors from regmap_field_alloc() - ASoC: sti: use managed regmap_field allocations - dm cache: fix null-deref with concurrent writes in passthrough mode - dm cache: fix write path cache coherency in passthrough mode - dm cache: fix write hang in passthrough mode - dm cache policy smq: fix missing locks in invalidating cache blocks - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching - platform/chrome: chromeos_tbmc: Drop wakeup source on remove - PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs encoding - PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() - PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() - dm cache metadata: fix memory leak on metadata abort retry - dm log: fix out-of-bounds write due to region_count overflow - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check - spi: spi-nxp-fspi: enable runtime pm for fspi - spi: nxp-fspi: Use reinit_completion() for repeated operations - spi: fsl-qspi: Use reinit_completion() for repeated operations - media: i2c: og01a1b: Replace client->dev usage - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe - drm/v3d: Handle error from drm_sched_entity_init() - drm/sun4i: Fix resource leaks - drm/amdgpu: Add default case in DVI mode validation - dm init: ensure device probing has finished in dm-mod.waitfor= - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break - crypto: tegra - finalize crypto req on error - crypto: tegra - Transfer HASH init function to crypto engine - crypto: tegra - Reserve keyslots to allocate dynamically - crypto: tegra - Disable softirqs before finalizing request - crypto: atmel - Use unregister_{aeads,ahashes,skciphers} - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs - padata: Remove cpu online check from cpu add and removal - padata: Put CPU offline callback in ONLINE section to allow failure - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation - drm/amdgpu/gfx10: look at the right prop for gfx queue priority - drm/amdgpu/gfx11: look at the right prop for gfx queue priority - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo - drm/imagination: Switch reset_reason fields from enum to u32 - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() - [arm64] drm/msm/dpu: fix mismatch between power and frequency - [arm64] drm/msm/dsi: add the missing parameter description - [arm64] drm/msm/dsi: fix bits_per_pclk - [arm64] drm/msm/dsi: fix hdisplay calculation for CMD mode panel - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first - drm/panel: simple: Correct G190EAN01 prepare timing - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board - drm/amdgpu: add amdgpu_device reference in ip block - drm/amdgpu: update the handle ptr in dump_ip_state - drm/amdgpu: update the handle ptr in early_init - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled - hwmon: Switch back to struct platform_driver::remove() - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') - [amd64] ASoC: SOF: Intel: hda: Place check before dereference - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/shrinker: Fix can_block() logic - [arm64] drm/msm/a6xx: Fix dumping A650+ debugbus blocks - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - pmdomain: ti: omap_prm: Fix a reference leak on device node - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() - PM: domains: De-constify fields in struct dev_pm_domain_attach_data - ASoC: fsl_micfil: Add access property for "VAD Detected" - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() - ASoC: fsl_micfil: Fix event generation in micfil_quality_set() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() - ASoC: fsl_easrc: Change the type for iec958 channel status controls - [amd64] iommu/amd: Remove protection_domain.dev_cnt variable - [amd64] iommu/amd: xarray to track protection_domain->iommu list - [amd64] iommu/amd: Do not detach devices in domain free path - [amd64] iommu/amd: Reduce domain lock scope in attach device path - [amd64] iommu/amd: Rearrange attach device code - [amd64] iommu/amd: Convert dev_data lock from spinlock to mutex - [amd64] iommu/amd: Introduce helper function to update 256-bit DTE - [amd64] iommu/amd: Introduce helper function get_dte256() - [amd64] iommu/amd: Fix clone_alias() to use the original device's devid - [arm64] ASoC: qcom: qdsp6: topology: check widget type before accessing data - crypto: qat - introduce fuse array - crypto: qat - disable 4xxx AE cluster when lead engine is fused off - crypto: qat - disable 420xx AE cluster when lead engine is fused off - crypto: qat - fix type mismatch in RAS sysfs show functions - crypto: qat - use swab32 macro - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] - PCI: Enable AtomicOps only if Root Port supports them - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found - Documentation: fix a hugetlbfs reservation statement - ALSA: scarlett2: Add missing sentinel initializer field - ASoC: SOF: compress: return the configured codec from get_params - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports - PCI: tegra194: Fix polling delay for L2 state - PCI: tegra194: Increase LTSSM poll time on surprise link down - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down - PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0() - PCI: tegra194: Don't force the device into the D0 state before L2 - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode - PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" - PCI: tegra194: Disable direct speed change for Endpoint mode - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode - PCI: tegra194: Allow system suspend when the Endpoint link is not up - PCI: tegra194: Free up Endpoint resources during remove() - PCI: tegra194: Use DWC IP core version - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on - spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback - ALSA: sc6000: Keep the programmed board state in card-private data - dm cache: fix missing return in invalidate_committed's error path - crypto: jitterentropy - replace long-held spinlock with mutex - ALSA: hda/realtek - fixed speaker no sound update - gfs2: Call unlock_new_inode before d_instantiate - net/socket.c: switch to CLASS(fd) - fdget(), trivial conversions - fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() - quota: Fix race of dquot_scan_active() with quota deactivation - gfs2: add some missing log locking - gfs2: prevent NULL pointer dereference during unmount - efi/capsule-loader: fix incorrect sizeof in phys array reallocation - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine - [arm64] dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon - memory: tegra124-emc: Fix dll_change check - memory: tegra30-emc: Fix dll_change check - [arm64] dts: imx8-apalis: Fix LEDs name collision - [arm64] dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) - iommufd: vfio compatibility extension check for noiommu mode - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7981b: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count - [arm64] dts: qcom: msm8953-xiaomi-vince: correct wled ovp value - [arm64] dts: qcom: msm8953-xiaomi-daisy: fix backlight - [arm64] dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi - [arm64] dts: rockchip: Correct Fan Supply for Gameforce Ace - [arm64] dts: rockchip: Correct Joystick Axes on Gameforce Ace - [arm64] soc: qcom: ocmem: make the core clock optional - [arm64] soc: qcom: ocmem: register reasons for probe deferrals - [arm64] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available - bus: rifsc: fix RIF configuration check for peripherals - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix GIC_ITS range length - [arm64] dts: qcom: sm8650: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix xo clock supply of platform SD host controller - [arm64] dts: qcom: sm8650: Fix xo clock supply of SD host controller - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - [arm64] dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins - [arm64] dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins - [arm64] dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label - [arm64] dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing - [arm64] dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit - [arm64] dts: lx2160a: remove duplicate pinmux nodes - [arm64] dts: lx2160a: rename pinmux nodes for readability - [arm64] dts: lx2160a: add sda gpio references for i2c bus recovery - [arm64] dts: lx2160a: change zeros to hexadecimal in pinmux nodes - [arm64] dts: lx2160a: complete pinmux for rcwsr12 configuration word - [arm64] dts: imx8qm-mek: switch Type-C connector power-role to dual - [arm64] dts: imx8qxp-mek: switch Type-C connector power-role to dual - soc/tegra: cbb: Set ERD on resume for err interrupt - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure - ocfs2/dlm: validate qr_numregions in dlm_match_regions() - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison - soc: qcom: llcc: fix v1 SB syndrome register offset - [arm64] soc: qcom: aoss: compare against normalized cooling state - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP - [arm64] xor: fix conflicting attributes for xor_block_template - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP - ocfs2: fix listxattr handling when the buffer is full - ocfs2: validate bg_bits during freefrag scan - ocfs2: validate group add input before caching - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function - soundwire: bus: demote UNATTACHED state warnings to dev_dbg() - dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - soundwire: cadence: Clear message complete before signaling waiting thread - tracing: Rebuild full_name on each hist_field_name() call - hte: tegra194: remove Kconfig dependency on Tegra194 SoC - remoteproc: xlnx: Fix sram property parsing - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: make asus_resume adhere to linux kernel coding standards - HID: asus: do not abort probe when not necessary - mtd: physmap_of_gemini: Fix disabled pinctrl state check - ima_fs: don't bother with removal of files in directory we'll be removing - ima_fs: get rid of lookup-by-dentry stuff - ima_fs: Correctly create securityfs files for unsupported hash algos - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range - mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions - cxl/pci: Check memdev driver binding status in cxl_reset_done() - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() - ext4: fix possible null-ptr-deref in mbt_kunit_exit() - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check - bpf, sockmap: Fix af_unix iter deadlock - bpf, sockmap: Fix af_unix null-ptr-deref in proto update - bpf, sockmap: Take state lock for af_unix iter - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - bpf: Fix NULL deref in map_kptr_match_type for scalar regs - bpf: allow UTF-8 literals in bpf_bprintf_prepare() - bpf: Validate node_id in arena_alloc_pages() - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT - pinctrl: pinctrl-pic32: Fix resource leak - pinctrl: cy8c95x0: remove duplicate error message - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() - pinctrl: cy8c95x0: Avoid returning positive values to user space - perf branch: Avoid incrementing NULL - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace - pinctrl: realtek: Fix function signature for config argument - pinctrl: abx500: Fix type of 'argument' variable - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers - perf lock: Fix option value type in parse_max_stack - perf stat: Fix opt->value type for parse_cache_level - perf tools: Fix module symbol resolution for non-zero .text sh_addr - perf expr: Return -EINVAL for syntax error in expr__find_ids() - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure - ipmi: ssif_bmc: fix message desynchronization after truncated response - ipmi: ssif_bmc: change log level to dbg in irq callback - perf evsel: Add alternate_hw_config and use in evsel__match - perf tool_pmu: Factor tool events into their own PMU - perf python: Add parse_events function - perf cgroup: Update metric leader in evlist__expand_cgroup - perf maps: Fix copy_from that can break sorted by name order - perf util: Kill die() prototype, dead for a long time - reset: replace boolean parameters with flags parameter - reset: Add devres helpers to request pre-deasserted reset controls - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status - backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() - platform/surface: surfacepro3_button: Drop wakeup source on remove - leds: lgm-sso: Remove duplicate assignments for priv->mmap - tty: hvc_iucv: fix off-by-one in number of supported devices - platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - [amd64] platform/x86: asus-wmi: adjust screenpad power/brightness handling - [amd64] platform/x86: asus-wmi: fix screenpad brightness range - tty: serial: ip22zilog: Fix section mispatch warning - fs/ntfs3: terminate the cached volume label after UTF-8 conversion - [amd64] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - [amd64] platform/x86: dell-wmi-sysman: bound enumeration string aggregation - RDMA/core: Prefer NLA_NUL_STRING - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source - scsi: sg: Fix sysctl sg-big-buff register during sg_init() - scsi: sg: Resolve soft lockup issue when opening /dev/sgX - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting - scsi: target: core: Fix integer overflow in UNMAP bounds check - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Use retention for USB power domains - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - clk: imx8mq: Correct the CSI PHY sels - [amd64] x86/um/vdso: Drop VDSO64-y from Makefile - clk: qoriq: avoid format string warning - clk: xgene: Fix mapping leak in xgene_pllclk_init() - dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets - clk: qcom: dispcc-sc7180: Add missing MDSS resets - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON - clk: visconti: pll: initialize clk_init_data to zero - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() - [amd64] drm/i915: Relocate the SKL wm sanitation code - [amd64] drm/i915/wm: Verify the correct plane DDB entry - crypto: sa2ul - Fix AEAD fallback algorithm names - crypto: ccp - copy IV using skcipher ivsize - erofs: add encoded extent on-disk definition - erofs: do sanity check on m->type in z_erofs_load_compact_lcluster() - erofs: avoid infinite loops due to corrupted subpage compact indexes (CVE-2025-68251) - erofs: unify lcn as u64 for 32-bit platforms - [arm64] dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT - PCMCIA: Fix garbled log messages for KERN_CONT - [arm64] dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT - [arm64] dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names - net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir - macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: fix IPv6 route referencing IPv4 nexthop - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch - tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE - tcp: annotate data-races around tp->bytes_sent - tcp: annotate data-races around tp->bytes_retrans - tcp: annotate data-races around tp->dsack_dups - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - tcp: annotate data-races around tp->plb_rehash - ice: update PCS latency settings for E825 10G/25Gb modes - ice: Remove jumbo_remove step from TX path - ice: fix double-free of tx_buf skb - ice: fix ICE_AQ_LINK_SPEED_M for 200G - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks - pppoe: drop PFC frames - net/mlx5: Fix HCA caps leak on notifier init failure - openvswitch: cap upcall PID array size and pre-size vport replies - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO - netfilter: conntrack: remove sprintf usage - netfilter: xtables: restrict several matches to inet family - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check - slip: reject VJ receive packets on instances with no rstate array - slip: bound decode() reads against the compressed packet length - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - pwm: atmel-tcb: Cache clock rates and mark chip as atomic - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() - ksmbd: destroy async_ida in ksmbd_conn_free() - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open - ksmbd: scope conn->binding slowpath to bound sessions only - net/rds: zero per-item info buffer before handing it to visitors - ice: fix timestamp interrupt configuration for E825C - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - net: dsa: realtek: rtl8365mb: fix mode mask calculation - net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() - virtio_net: Split struct virtio_net_rss_config - virtio_net: Fix endian with virtio_net_ctrl_rss - virtio_net: Use new RSS config structs - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() - rtc: abx80x: Disable alarm feature if no interrupt attached - kbuild: builddeb - avoid recompiles for non-cross-compiles - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case - mailbox: mailbox-test: free channels on probe error - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array - mailbox: mailbox-test: don't free the reused channel - mailbox: mailbox-test: initialize struct earlier - mailbox: mailbox-test: make data_ready a per-instance variable - fsnotify: fix inode reference leak in fsnotify_recalc_mask() - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - cgroup: Increment nr_dying_subsys_* from rmdir context - tracing: branch: Fix inverted check on stat tracer registration - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers - netfilter: arp_tables: fix IEEE1394 ARP payload parsing - nvme-pci: fix missed admin queue sq doorbell write - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG - drm/amdgpu: fix spelling typos - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching - netfilter: nf_conntrack_sip: don't use simple_strtoul - [amd64] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ - drm/sysfb: ofdrm: fix PCI device reference leaks - arm64/scs: Fix potential sign extension issue of advance_loc4 - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets - net/sched: netem: only reseed PRNG when seed is explicitly provided - net/sched: netem: validate slot configuration - net/sched: netem: fix slot delay calculation overflow - net/sched: netem: check for negative latency and jitter - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - NFC: trf7970a: Ignore antenna noise when checking for RF field - net/sched: taprio: fix NULL pointer dereference in class dump - neigh: let neigh_xmit take skb ownership - tcp: make probe0 timer handle expired user timeout - net, treewide: define and use MAC_ADDR_STR_LEN - netconsole: allow selection of egress interface via MAC address - netpoll: Extract carrier wait function - netpoll: extract IPv4 address retrieval into helper function - netpoll: fix IPv6 local-address corruption - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams - sched/fair: Clear rel_deadline when initializing forked entities - net: mctp i2c: check length before marking flow active - net: phy: dp83869: fix setting CLK_O_SEL field. - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring - ASoC: codecs: ab8500: Fix casting of private data - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - netconsole: propagate device name truncation in dev_name_store() - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 - ALSA: hda/conexant: Fix missing error check for jack detection - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - drm/xe/debugfs: Correct printing of register whitelist ranges - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() - drm/xe/gsc: Fix BO leak on error in query_compatibility_version() - page_pool: Set `dma_sync` to false for devmem memory provider - net: page_pool: create hooks for custom memory providers - page_pool: fix memory-provider leak in page_pool_create_percpu() error path - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING - iavf: stop removing VLAN filters from PF on interface down - iavf: wait for PF confirmation before removing VLAN filters - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler - ice: fix NULL pointer dereference in ice_reset_all_vfs() - net: tls: fix strparser anchor skb leak on offload RX setup failure - sfc: fix error code in efx_devlink_info_running_versions() - net/sched: cls_flower: revert unintended changes - [arm64] Reserve an extra page for early kernel mapping - smb: client: correctly handle ErrorContextData as a flexible array - smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613) - LoongArch: KVM: Compile switch.S directly into the kernel - ntfs: ->d_compare() must not block - PCI: Initialize temporary device in new_id_store() - net: bcmgenet: Initialize u64 stats seq counter - net: bcmgenet: fix leaking free_bds - [amd64] iommu/amd: Reorder attach device code - [amd64] iommu/amd: Put list_add/del(dev_data) back under the domain->lock - perf tool_pmu: Fix aggregation on duration_time - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - netpoll: Extract IPv6 address retrieval function - netpoll: pass buffer size to egress_dev() to avoid MAC truncation - page_pool: fix incorrect mp_ops error handling - crypto: af_alg - Cap AEAD AD length to 0x80000000 - i40e: Cleanup PTP pins on probe failure - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path - netfilter: nf_conntrack_sip: get helper before allocating expectation - audit: fix incorrect inheritable capability in CAPSET records - Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" - netfilter: nft_ct: fix missing expect put in obj eval - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic - [amd64] KVM: x86: Fix Xen hypercall tracepoint argument assignment - netfilter: nf_tables: unconditionally bump set->nelems before insertion (CVE-2026-23272) - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands - smb/client: fix possible infinite loop and oob read in symlink_data() - [amd64] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans - ALSA: usb-audio: Bound MIDI endpoint descriptor scans - ceph: fix a buffer leak in __ceph_setxattr() - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - [powerpc*] warp: Fix error handling in pika_dtm_thread - netfs: fix error handling in netfs_extract_user_iter() - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining - libceph: Fix potential out-of-bounds access in osdmap_decode() - libceph: Fix potential null-ptr-deref in decode_choose_args() - libceph: Fix potential out-of-bounds access in crush_decode() - libceph: handle rbtree insertion error in decode_choose_args() - [amd64] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [amd64] drm/i915: skip __i915_request_skip() for already signaled requests - drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - drm/xe/dma-buf: handle empty bo and UAF races - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - drm/gma500/oaktrail_lvds: fix hang on init failure - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init - iommufd: Fix return value of iommufd_fault_fops_write() - eventfs: Use list_add_tail_rcu() for SRCU-protected children list - drm/v3d: Reject empty multisync extension to prevent infinite loop - btrfs: use inode already stored in local variable at btrfs_rmdir() - btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() - btrfs: fix missing last_unlink_trans update when removing a directory - smb: client: Use FullSessionKey for AES-256 encryption key derivation - btrfs: do not mark inode incompressible after inline attempt fails - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() - sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new - mptcp: pm: prio: skip closed subflows - mptcp: drop __mptcp_fastopen_gen_msk_ackseq() - mptcp: fix rx timestamp corruption on fastopen - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix false alarm of lockdep on cp_global_sem lock - spi: sifive: Simplify clock handling with devm_clk_get_enabled() - spi: sifive: fix controller deregistration - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - netfs: Fix potential uninitialised var in netfs_extract_user_iter() https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.92 - mptcp: sync the msk->sndbuf at accept() time - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount (CVE-2026-46158) - mptcp: pm: ADD_ADDR rtx: free sk if last (CVE-2026-46170) - ksmbd: validate owner of durable handle on reconnect (CVE-2026-31717) - drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() (CVE-2026-46216) - [s390x] debug: Reject zero-length input before trimming a newline - Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" - Revert "perf tool_pmu: Fix aggregation on duration_time" - Revert "perf python: Add parse_events function" - Revert "perf tool_pmu: Factor tool events into their own PMU" - bridge: mrp: reject zero test interval to avoid OOM panic (CVE-2026-31420) - spi: spi-dw-dma: fix print error log when wait finish transaction (CVE-2026-31560) - Revert "x86/vdso: Fix output operand size of RDPID" - sched/deadline: Less agressive dl_server handling - sched/deadline: Fix dl_server_stopped() - sched/deadline: Fix dl_server getting stuck - sched/deadline: Fix dl_server behaviour - sched/deadline: Stop dl_server before CPU goes offline - ksmbd: close durable scavenger races against m_fp_list lookups - af_unix: Give up GC if MSG_PEEK intervened. (CVE-2026-23394) - drm/imagination: Synchronize interrupts before suspending the GPU (CVE-2026-23469) - ata: libata-scsi: improve readability of ata_scsi_qc_issue() - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS - ata: libata-scsi: do not needlessly defer commands when using PMP with FBS - perf parse-events: Expose/rename config_term_name - Revert "ice: fix double-free of tx_buf skb" - Revert "ice: Remove jumbo_remove step from TX path" - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 - net/mlx5e: Trigger neighbor resolution for unresolved destinations - net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init - [amd64] x86/fgraph: Fix return_to_handler regs.rsp value - [amd64] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set - [riscv64] fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS - [riscv64] fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler (CVE-2025-22069) - hwmon: (pmbus/core) Protect regulator operations with mutex - [arm64] Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL - sysfs: don't remove existing directory on update failure - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() - ksmbd: fix null pointer dereference in compare_guid_key() - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow - ksmbd: validate SID in parent security descriptor during ACL inheritance - smb: client: require net admin for CIFS SWN netlink - smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() - smb: client: use data_len for SMB2 READ encrypted folioq copy - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX - ALSA: ua101: Reject too-short USB descriptors - ALSA: pcm: Don't setup bogus iov_iter for silencing - ALSA: asihpi: Fix potential OOB array access at reading cache - efi: Allocate runtime workqueue before ACPI init - io_uring/waitid: clear waitid info before copying it to userspace - drivers/base/memory: fix memory block reference leak in poison accounting - ipv6: ioam: refresh hdr pointer before ioam6_event() - mm/memory_hotplug: fix memory block reference leak on remove - net: wwan: iosm: fix potential memory leaks in ipc_imem_init() - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer - Bluetooth: MGMT: validate Add Extended Advertising Data length - Bluetooth: serialize accept_q access - phonet/pep: disable BH around forwarded sk_receive_skb() - net: bcmgenet: keep RBUF EEE/PM disabled - net: ifb: report ethtool stats over num_tx_queues - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() - netfilter: ip6t_hbh: reject oversized option lists - netfilter: nf_queue: hold bridge skb->dev while queued - netfilter: ipset: stop hash:* range iteration at end - netfilter: nft_inner: Fix IPv6 inner_thoff desync - sched_ext: Fix missing warning in scx_set_task_state() default case - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path - cgroup/cpuset: Reset DL migration state on can_attach() failure - fs/ntfs3: handle attr_set_size() errors when truncating files - l2tp: use list_del_rcu in l2tp_session_unhash - qed: fix double free in qed_cxt_tables_alloc() - ring-buffer: Fix reporting of missed events in iterator - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() - vsock/vmci: fix UAF when peer resets connection during handshake - vsock/virtio: reset connection on receiving queue overflow - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - rbd: eliminate a race in lock_dwork draining on unmap - lsm: hold cred_guard_mutex for lsm_set_self_attr() - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index - ice: fix setting promisc mode while adding VID filter - ice: restore PTP Rx timestamp config after ethtool set-channels - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - af_unix: Fix UAF read of tail->len in unix_stream_data_wait() - wifi: mac80211: consume only present negotiated TTLM maps - cifs: Fix busy dentry used after unmounting - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [arm64] probes: Handle probes on hinted conditional branch instructions - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits - [arm64] KVM: arm64: vgic: Free private_irqs when init fails after allocation - [riscv64] kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe - spi: qup: fix error pointer deref after DMA setup failure - [arm64] phy: tegra: xusb: Fix per-pad high-speed termination calibration - scsi: isci: Fix use-after-free in device removal path - spi: ep93xx: fix error pointer deref after DMA setup failure - spi: sprd: fix error pointer deref after DMA setup failure - spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - device property: set fwnode->secondary to NULL in fwnode_init() - drm/virtio: use uninterruptible resv lock for plane updates - drm/amdgpu/vpe: Force collaborate sync after TRAP - drm/bridge: it66121: acquire reset GPIO in probe - drm/bridge: megachips: remove bridge when irq request fails - drm/amd/display: Fix integer overflow in bios_get_image() - drm/amd/display: Validate GPIO pin LUT table size before iterating - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown - batman-adv: dat: handle forward allocation error - batman-adv: fix fragment reassembly length accounting - batman-adv: fix tp_meter counter underflow during shutdown - batman-adv: frag: disallow unicast fragment in fragment - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock - hwmon: (pmbus/adm1266) reject implausible blackbox record_count - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors - [arm64] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume - HID: uclogic: Fix regression of input name assignment - [riscv64] mm: Fixup no5lvl failure when vaddr is invalid - [arm64] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 - ALSA: hda: cs35l56: Put ACPI device after setting companion - ALSA: hda: cs35l41: Put ACPI device on missing physical node - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - netfilter: x_tables: unregister the templates first - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() - tcp: Fix imbalanced icsk_accept_queue count. - ice: fix setting RSS VSI hash for E830 - ice: fix locking in ice_dcb_rebuild() - net: lan966x: avoid unregistering netdev on register failure - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - NFSD: Fix infinite loop in layout state revocation - irqchip/ath79-cpu: Remove unused function - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation - nsfs: fix wrong error code returned for pidns ioctls - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT - zonefs: handle integer overflow in zonefs_fname_to_fno - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). - [powerpc*] fix dead default for GUEST_STATE_BUFFER_TEST - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call - netfs: Fix overrun check in netfs_extract_user_iter() - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone - netfs: Defer the emission of trace_netfs_folio() - netfs: Fix streaming write being overwritten - netfs: Fix potential deadlock in write-through mode - netfs: Fix write streaming disablement if fd open O_RDWR - netfs: Fix early put of sink folio in netfs_read_gaps() - netfs: Fix partial invalidation of streaming-write folio - netfs: Fix a few minor bugs in netfs_page_mkwrite() - netfs: Remove unnecessary references to pages - netfs: Fix folio->private handling in netfs_perform_write() - net: ethernet: cortina: Make RX SKB per-port - net: ethernet: cortina: Drop half-assembled SKB - net: ethernet: cortina: Carry over frag counter - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference - wifi: ath11k: fix error path leaks in some WMI WOW calls - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() - wifi: ath10k: skip WMI and beacon transmission when device is wedged - blk-integrity: remove seed for user mapped buffers - block: don't overwrite bip_vcnt in bio_integrity_copy_user() - block: recompute nr_integrity_segments in blk_insert_cloned_request - HID: quirks: really enable the intended work around for appledisplay - block: modify bio_integrity_map_user to accept iov_iter as argument - block: drop direction param from bio_integrity_copy_user() - blk-integrity: use simpler alignment check - blk-integrity: enable p2p source and destination - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() - accel/qaic: Add overflow check to remap_pfn_range during mmap - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - [arm64] drm/msm/dsi: don't dump registers past the mapped region - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN - [powerpc*] time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - net: phy: DP83TC811: add reading of abilities - [amd64] x86/xen: Fix xen_e820_swap_entry_with_ram() - tls: Preserve sk_err across recvmsg() when data has been copied - net/mlx5: Do not restore destination-less TC rules - scsi: sd: Fix return code handling in sd_spinup_disk() - ALSA: scarlett2: Add missing error check when initialise Autogain Status - io_uring/net: punt IORING_OP_BIND async if it needs file create - btrfs: fix squota accounting during enable generation - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions - drm/xe/gsc: Fix double-free of managed BO in error path - drm/xe/vf: Fix signature of print functions - drm/xe/pf: Fix CFI failure in debugfs access - wifi: ath11k: fix peer resolution on rx path when peer_id=0 - ice: ptp: serialize E825 PHY timer start with PTP lock - [amd64] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP - [arm64] net: dsa: mt7530: fix FDB entries not aging out with short timeout - [arm64] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer - platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 - [amd64] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL - [amd64] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL - RDMA/rtrs: Fix use-after-free in path file creation cleanup - net: bridge: Flush multicast groups when snooping is disabled - bridge: mcast: Fix a possible use-after-free when removing a bridge port - pds_core: fix error handling in pdsc_devcmd_wait - pds_core: fix debugfs_lookup dentry leak and error handling - wifi: mac80211: fix MLE defragmentation - ALSA: seq: Serialize UMP output teardown with event_input - tracing: Avoid NULL return from hist_field_name() on truncation - Bluetooth: btmtk: fix urb->setup_packet leak in error paths - net: ag71xx: check error for platform_get_irq - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() - drm/xe/oa: Fix exec_queue leak on width check in stream open - [arm64] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs - net: mana: validate rx_req_idx to prevent out-of-bounds array access - pds_core: ensure null-termination for firmware version strings - net: gro: don't merge zcopy skbs - landlock: Fix TCP handling of short AF_UNSPEC addresses - block: make bio_integrity_map_user() static inline - security/keys: fix missed RCU read section on lookup https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.93 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - [arm64] drm/v3d: Fix use-after-free of CPU job query arrays on error path - [arm64] drm/v3d: Release indirect CSD GEM reference on CPU job free - net/sched: cls_fw: fix NULL dereference of "old" filters before change() - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930) - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - bcache: fix uninitialized closure object - net: cpsw_new: Fix potential unregister of netdev that has not been registered yet (CVE-2026-43219) - [arm64] Introduce esr_is_ubsan_brk() - [arm64] debug: clean up single_step_handler logic - [arm64] refactor aarch32_break_handler() - [arm64] debug: call software breakpoint handlers statically - [arm64] debug: call step handlers statically - [arm64] debug: remove break/step handler registration infrastructure - [arm64] entry: Add entry and exit functions for debug exceptions - [arm64] debug: split hardware breakpoint exception entry - [arm64] debug: refactor reinstall_suspended_bps() - [arm64] debug: split single stepping exception entry - [arm64] debug: split hardware watchpoint exception entry - [arm64] debug: split brk64 exception entry - [arm64] debug: split bkpt32 exception entry - [arm64] debug: remove debug exception registration infrastructure - [arm64] debug: always unmask interrupts in el0_softstp() - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - vsock: keep poll shutdown state consistent - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - [s390x] net/iucv: fix locking in .getsockopt - scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - ALSA: pcm: oss: Fix setup list UAF on proc write error - [amd64] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - net: hsr: fix potential OOB access in supervision frame handling - [amd64] accel/ivpu: prevent uninitialized data bug in debugfs - gpio: mxc: fix irq_high handling - net: Avoid checksumming unreadable skb tail on trim - ethtool: rss: fix hkey leak when indir_size is 0 - ethtool: module: avoid leaking a netdev ref on module flash errors - ethtool: module: check fw_flash_in_progress under rtnl_lock - ethtool: module: fix cleanup if socket used for flashing multiple devices - ethtool: cmis: require exact CDB reply length - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl - net: ethtool: Add new parameters and a function to support EPL - net: ethtool: Add support for writing firmware blocks using EPL payload - ethtool: cmis: validate start_cmd_payload_size from module - ethtool: cmis: validate fw->size against start_cmd_payload_size - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - ASoC: codecs: simple-mux: Fix enum control bounds check - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - bonding: refuse to enslave CAN devices - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error - ethtool: pse-pd: fix missing ethnl_ops_complete() - ethtool: strset: fix header attribute index in ethnl_req_get_phydev() - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback - ethtool: eeprom: add more safeties to EEPROM Netlink fallback - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" - net/sched: fix packet loop on netem when duplicate is on - net/sched: act_mirred: Move the recursion counter struct netdev_xmit - net/sched: act_mirred: add loop detection - net: Introduce skb tc depth field to track packet loops - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop - net/sched: act_mirred: Fix return code in early mirred redirect error paths - net/handshake: Use spin_lock_bh for hn_lock - nvme-tcp: store negative errno in queue->tls_err - net/handshake: Pass negative errno through handshake_complete() - remove pointless includes of - net/handshake: Take a long-lived file reference at submit - net/handshake: Drain pending requests at net namespace exit - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close - [arm64,armhf] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() - [amd64,arm64] net: mana: Add NULL guards in teardown path to prevent panic on attach failure - sctp: fix race between sctp_wait_for_connect and peeloff - ipv6: fix possible infinite loop in rt6_fill_node() - ipv6: fix possible infinite loop in fib6_select_path() - net: skbuff: fix pskb_carve leaking zcopy pages - perf: Fix dangling cgroup pointer in cpuctx - batman-adv: v: stop OGMv2 on disabled interface - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: tt: reject oversized local TVLV buffers - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: avoid role confusion in tp_list - [s390x] cio: Restore GFP_DMA for CHSC allocation - batman-adv: tp_meter: directly shut down timer on cleanup - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303) - media: rc: fix race between unregister and urb/irq callbacks - media: rc: ttusbir: fix inverted error logic - inet: frags: add inet_frag_queue_flush() - inet: frags: flush pending skbs in fqdir_pre_exit() (CVE-2025-68768) - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: introduce hid_safe_input_report() - HID: core: Fix size_t specifier in hid_report_raw_event() - [amd64] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register - [amd64] drm/i915/psr: Read Intel DPCD workaround register - drm/dp: Add eDP 1.5 bit definition - [amd64] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used - [arm64] io: Rename ioremap_prot() to __ioremap_prot() - [arm64] io: Extract user memory type in ioremap_prot() (CVE-2026-23346) - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X - batman-adv: tt: prevent TVLV entry number overflow - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers - usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT - usb: typec: ucsi: validate connector number in ucsi_connector_change() - USB: serial: safe_serial: fix memory corruption with small endpoint - media: rc: igorplugusb: fix control request setup packet - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range - auxdisplay: line-display: fix OOB read on zero-length message_store() - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - Bluetooth: HIDP: fix missing length checks in hidp_input_report() - Bluetooth: ISO: fix UAF in iso_recv_frame - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync - Input: xpad - fix out-of-bounds access for Share button - parport: Fix race between port and client registration (Closes: #1130365) - USB: cdc-acm: Fix bit overlap and move quirk definitions to header - [arm64] KVM: arm64: PMU: Preserve AArch32 counter low bits - [amd64] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC - [amd64] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use - [amd64] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests - [amd64] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - [amd64] KVM: SEV: Compute the correct max length of the in-GHCB scratch area - [amd64] KVM: SEV: Check PSC request indices against the actual size of the buffer - [amd64] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer - [amd64] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux - iio: adc: npcm: fix unbalanced clk_disable_unprepare() - iio: dac: max5821: fix return value check in powerdown sync - iio: dac: ad5686: fix input raw value check - iio: dac: ad5686: acquire lock when doing powerdown control - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: gyro: adis16260: fix division by zero in write_raw - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() - USB: serial: omninet: fix memory corruption with small endpoint - usb: cdns3: gadget: fix request skipping after clearing halt - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - wireguard: send: append trailer after expanding head - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ipv6: exthdrs: refresh nh after handling HAO option - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - xfrm: input: hold netns during deferred transport reinjection - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - net: skbuff: fix missing zerocopy reference in pskb_carve helpers - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: xpad - add "Nova 2 Lite" from GameSir - Input: xpad - add support for ASUS ROG RAIKIRI II - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [amd64] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [amd64] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - counter: Fix refcount leak in counter_alloc() error path - tty: serial: pch_uart: add check for dma_alloc_coherent() - tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - usb: typec: tcpm: improve handling of DISCOVER_MODES failures - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - usb: gadget: f_fs: copy only received bytes on short ep0 read - usb: gadget: f_fs: serialize DMABUF cancel against request completion - [amd64] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - [amd64] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - scsi: target: iscsi: Validate CHAP_R length before base64 decode - drm/hyperv: validate resolution_count and fix WIN8 fallback - drm/hyperv: validate VMBus packet size in receive callback - [amd64] drm/i915: Fix potential UAF in TTM object purge - drm/amd/pm/si: Disregard vblank time when no displays are connected - serial: altera_jtaguart: handle uart_add_one_port() failures - serial: qcom-geni: fix UART_RX_PAR_EN bit position - serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ - serial: sh-sci: fix memory region release in error path - serial: zs: Fix swapped RI/DSR modem line transition counting - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger - drm/amdkfd: Check for pdd drm file first in CRIU restore path - serial: dz: Fix bootconsole message clobbering at chip reset - serial: dz: Fix bootconsole handover lockup - serial: dz: Convert to use a platform device - serial: zs: Fix bootconsole handover lockup - serial: zs: Switch to using channel reset - serial: zs: Convert to use a platform device - USB: serial: cypress_m8: fix memory corruption with small endpoint - USB: serial: digi_acceleport: fix memory corruption with small endpoints - xhci: tegra: Fix ghost USB device on dual-role port unplug - iommu: Skip PASID validation for devices without PASID capability - [amd64] x86/boot: Disable stack protector for early boot code - [amd64] x86/kexec: Disable KCOV instrumentation after load_segments() (CVE-2026-43331) - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg - rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer - serdev: Provide a bustype shutdown function - Bluetooth: hci_qca: Migrate to serdev specific shutdown function - Bluetooth: hci_qca: Convert timeout from jiffies to ms - ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes - ALSA: scarlett2: Allow flash writes ending at segment boundary - mm/memory: fix spurious warning when unmapping device-private/exclusive pages - [amd64] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery - net: hsr: defer node table free until after RCU readers - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient - ice: fix VF queue configuration with low MTU values - ring-buffer: Flush and stop persistent ring buffer on panic - mptcp: cleanup fallback dummy mapping generation - mptcp: reset rcv wnd on disconnect - [arm64] tlb: Flush walk cache when unsharing PMD tables - [arm64] octeontx2-pf: avoid double free of pool->stack on AQ init failure - mptcp: introduce the mptcp_init_skb helper - mptcp: handle first subflow closing consistently - mptcp: do not drop partial packets - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() - iio: chemical: scd30: Use guard(mutex) to allow early returns - iio: chemical: scd30: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - ALSA: firewire-motu: Protect register DSP event queue positions - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths - usb: musb: omap2430: Fix use-after-free in omap2430_probe() - usb: typec: ucsi: Check if power role change actually happened before handling - [amd64] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - [amd64] x86/alternatives: Rename 'apply_relocation()' to 'text_poke_apply_relocation()' - [amd64] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock - mm: perform all memfd seal checks in a single place - mm/memfd: fix spelling and grammatical issues - memfd: deny writeable mappings when implying SEAL_WRITE - usb: core: Fix SuperSpeed root hub wMaxPacketSize - ethtool: cmis_cdb: Fix incorrect read / write length extension - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow - [arm64] KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CVE-2026-46316) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.94 - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - USB: serial: mct_u232: fix memory corruption with small endpoint - [armhf] group is_permission_fault() with is_translation_fault() - [armhf] allow __do_kernel_fault() to report execution of memory faults - [armhf] fix hash_name() fault - [armhf] fix branch predictor hardening - net: phy: micrel: fix LAN8814 QSGMII soft reset - wifi: remove zero-length arrays - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - ipv6: mcast: Fix use-after-free when processing MLD queries - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS - [arm64] tee: optee: prevent use-after-free when the client exits before the supplicant - [arm64]soc: qcom: ice: Return -ENODEV if the ICE platform device is not found - erofs: add sysfs node to drop internal caches - erofs: tidy up synchronous decompression - erofs: fix use-after-free on sbi->sync_decompress - ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit - netfilter: synproxy: add mutex to guard hook reference counting - netfilter: conntrack_irc: fix possible out-of-bounds read - netfilter: nft_ct: bail out on template ct in get eval - netfilter: bridge: make ebt_snat ARP rewrite writable - dm cache policy smq: check allocation under invalidate lock - net/sched: act_api: use RCU with deferred freeing for action lifecycle - 6lowpan: fix off-by-one in multicast context address compression - l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() - devlink: Release nested relation on devlink free - [arm64] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c - wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap - pcnet32: stop holding device spin lock during napi_complete_done - net: Annotate sk->sk_write_space() for UDP SOCKMAP. - hsr: Remove WARN_ONCE() in hsr_addr_is_self(). - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - net: fec: fix pinctrl default state restore order on resume - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() - Bluetooth: MGMT: validate advertising TLV before type checks - Bluetooth: RFCOMM: validate skb length in MCC handlers - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling - Bluetooth: bnep: reject short frames before parsing - Bluetooth: fix memory leak in error path of hci_alloc_dev() - Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync - Bluetooth: ISO: Fix not using bc_sid as advertisement SID - Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls - Bluetooth: MGMT: Fix backward compatibility with userspace - [arm64] octeontx2-pf: Fix NDC sync operation errors - [arm64] octeontx2-af: Fix initialization of mcam's entry2target_pffunc field - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options - ptp: vclock: Switch from RCU to SRCU - net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown - net_sched: act_pedit: use RCU in tcf_pedit_dump() - net/sched: fix pedit partial COW leading to page cache corruption (CVE-2026-46331) - [arm64] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow - vxlan: vnifilter: send notification on VNI add - vxlan: vnifilter: fix spurious notification on VNI update - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr - sctp: purge outqueue on stale COOKIE-ECHO handling - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams - ALSA: seq: dummy: fix UMP event stack overread - ima: kexec: skip IMA segment validation after kexec soft reboot - ima: kexec: move IMA log copy from kexec load to execute - spi: cadence-quadspi: fix unclocked access on unbind (CVE-2026-46203) - tools/rv: Fix cleanup after failed trace setup - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - iomap: don't revert iov_iter on partially completed buffered writes - dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() - netlabel: validate unlabeled address and mask attribute lengths - gpio: mvebu: fix NULL pointer dereference in suspend/resume - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls - tcp: restrict SO_ATTACH_FILTER to priv users - net: add pskb_may_pull() to skb_gro_receive_list() - net/mlx4: avoid GCC 10 __bad_copy_from() false positive - net: ibm: emac: Fix use-after-free during device removal - netdev: fix double-free in netdev_nl_bind_rx_doit() - net: phy: clean the sfp upstream if phy probing fails - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove - net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list - net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure - net/mlx5: Use effective affinity mask for IRQ selection - ipv6: sit: reload inner IPv6 header after GSO offloads - net: openvswitch: fix possible kfree_skb of ERR_PTR - r8152: handle the return value of usb_reset_device() - gpio: zynq: fix runtime PM leak on remove - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() - net: guard timestamp cmsgs to real error queue skbs - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: revalidate bridge ports - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister - netfilter: x_tables: avoid leaking percpu counter pointers - netfilter: nf_log: validate MAC header was set before dumping it - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag - [arm64,armhf] net: mvpp2: sync RX data at the hardware packet offset - [arm64,armhf] net: mvpp2: limit XDP frame size to the RX buffer - [arm64,armhf] net: mvpp2: Add metadata support for xdp mode - [arm64,armhf] net: mvpp2: refill RX buffers before XDP or skb use - [arm64,armhf] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS - ipv6: Fix a potential NPD in cleanup_prefix_route() - netfilter: ctnetlink: ensure safe access to master conntrack (CVE-2026-43116) - writeback: Avoid contention on wb->list_lock when switching inodes - writeback: Fix use after free in inode_switch_wbs_work_fn() - xfrm: hold device only for the asynchronous decryption - xfrm: hold dev ref until after transport_finish NF_HOOK (CVE-2026-31663) - [amd64] KVM: VMX: Update SVI during runtime APICv activation - [arm64] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked - clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs - [arm64] clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time - drm/virtio: Fix driver removal with disabled KMS - [arm64,armhf] drm/vc4: fix krealloc() memory leak - drm/xe: fix refcount leak in xe_range_fence_insert() - netfilter: nft_tunnel: fix use-after-free on object destroy - [arm64] tee: shm: fix shm leak in register_shm_helper() - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig - [arm64] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() - [amd64] accel/ivpu: Add bounds checks for firmware log indices - [amd64] accel/ivpu: Add buffer overflow check in MS get_info_ioctl - [amd64] accel/ivpu: Fix signed integer truncation in IPC receive - tracing/probes: Point the error offset correctly for eprobe argument error - mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation - KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying - [amd64] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA - [amd64] drm/i915/gem: Fix phys BO pread/pwrite with offset - pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL - xfrm: espintcp: do not reuse an in-progress partial send - USB: serial: io_ti: fix heap overflow in get_manuf_info() - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow - ALSA: timer: Forcibly close timer instances at closing - ALSA: timer: Fix UAF at snd_timer_user_params() - io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries - drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - mm/huge_memory: update file PMD counter before folio_put() - mm/damon/ops-common: call folio_test_lru() after folio_get() - RDMA/srp: bound SRP_RSP sense copy by the received length - zram: fix use-after-free in zram_bvec_write_partial() - udp: clear skb->dev before running a sockmap verdict - mptcp: fix retransmission loop when csum is enabled - mptcp: close TOCTOU race while computing rcv_wnd - mptcp: allow subflow rcv wnd to shrink - mptcp: sockopt: check timestamping ret value - mptcp: add-addr: always drop other suboptions - wifi: nl80211: reject oversized EMA RNR lists - vsock/vmci: fix sk_ack_backlog leak on failed handshake - timers/migration: Fix livelock in tmigr_handle_remote_up() - ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write - bnxt_en: Fix NULL pointer dereference - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN - inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush - pidfd: refuse access to tasks that have started exiting harder - fs/qnx6: fix pointer arithmetic in directory iteration - fuse: reject fuse_notify() pagecache ops on directories - i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() - i2c: stm32f7: fix timing computation ignoring i2c-analog-filter - i2c: tegra: Fix NOIRQ suspend/resume - Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates - misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - misc: fastrpc: fix use-after-free race in fastrpc_map_create - misc: fastrpc: fix DMA address corruption due to find_vma misuse - misc: fastrpc: Fix NULL pointer dereference in rpmsg callback - net/mlx5: Reorder completion before putting command entry in cmd_work_handler - net: bonding: fix NULL pointer dereference in bond_do_ioctl() - net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind - nvmem: core: fix use-after-free bugs in error paths - nvmem: layouts: onie-tlv: fix hang on unknown types - [arm64] octeontx2-af: fix memory leak in rvu_setup_hw_resources() - io_uring/kbuf: don't truncate end buffer for bundles - io_uring/wait: fix min_timeout behavior - mm/hugetlb: restore reservation on error in hugetlb folio copy paths - mmc: core: Fix host controller programming for fixed driver type - mmc: dw_mmc-rockchip: Add missing private data for very old controllers - mmc: litex_mmc: Set mandatory idle clocks before CMD0 - mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC - mmc: sdhci: add signal voltage switch in sdhci_resume_host - pmdomain: imx: fix OF node refcount - rtase: Avoid sleeping in get_stats64() - rtase: Reset TX subqueue when clearing TX ring - sctp: diag: reject stale associations in dump_one path - sctp: stream: fully roll back denied add-stream state - [amd64] thunderbolt: Reject zero-length property entries in validator - [amd64] thunderbolt: Bound root directory content to block size - [amd64] thunderbolt: Clamp XDomain response data copy to allocation size - [amd64] thunderbolt: Validate XDomain request packet size before type cast - [amd64] thunderbolt: Limit XDomain response copy to actual frame size - [arm64] slimbus: qcom-ngd-ctrl: fix OF node refcount - [arm64] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration - [arm64] slimbus: qcom-ngd-ctrl: Fix probe error path ordering - [arm64] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd - [arm64] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller - [arm64] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership - [arm64] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD - [arm64] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock - drm/amdkfd: fix NULL dereference in get_queue_ids() - drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 - drm/xe: Clear pending_disable before signaling suspend fence - [arm64,armhf] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups - drm/amdgpu: restart the CS if some parts of the VM are still invalidated - drm/amd/pm: fix smu13 power limit default/cap calculation - drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 - drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range - drm/amd/display: Bound VBIOS record-chain walk loops - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size - drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs - drm/amd/display: Use krealloc_array() in dal_vector_reserve() - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling - driver core: reject devices with unregistered buses - mailbox: Fix NULL message support in mbox_send_message() - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf - sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() - netfilter: nft_fib: fix stale stack leak via the OIFNAME register - mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison - RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper - RDMA/umem: Move umem dmabuf revoke logic into helper function - RDMA/umem: Add helpers for umem dmabuf revoke lock - RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - RDMA/umem: fix kernel-doc warnings - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G - mm/hugetlb: avoid false positive lockdep assertion - mptcp: fix missing wakeups in edge scenarios - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - vsock/virtio: fix potential unbounded skb queue - vsock/virtio: fix skb overhead accounting to preserve full buf_alloc - block: fix handling of dead zone write plugs - [arm64] cputype: Add NVIDIA Olympus definitions - [arm64] cputype: Add C1-Ultra definitions - [arm64] cputype: Add C1-Premium definitions - [arm64] errata: Mitigate TLBI errata on various Arm CPUs - [arm64] errata: Mitigate TLBI errata on NVIDIA Olympus CPU - [arm64] errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - net: introduce EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() - tcp: use EXPORT_IPV6_MOD[_GPL]() - tcp: secure_seq: add back ports to TS offset (CVE-2026-23247) - mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation - vsock/virtio: fix skb overhead overflow on 32-bit builds - netfilter: require Ethernet MAC header before using eth_hdr() . [ Salvatore Bonaccorso ] * [rt] Refresh "ARM: enable irq in translation/section permission fault" * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) linux-signed-amd64 (6.12.94+1~bpo12+1) bookworm-backports; urgency=medium . * Sign kernel from linux 6.12.94-1~bpo12+1 . * Rebuild for bookworm-backports linux-signed-amd64 (6.12.90+2) trixie-security; urgency=high . * Sign kernel from linux 6.12.90-2 . * smb: client: reject userspace cifs.spnego descriptions * net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) linux-signed-amd64 (6.12.90+2~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.90-2~bpo12+1 . * Rebuild for bookworm-backports linux-signed-amd64 (6.12.90+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.90-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.89 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.90 - HID: playstation: Clamp num_touch_reports - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [arm64] dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux - [arm64] regulator: mt6357: fix OF node reference imbalance - [arm64,armhf] regulator: rk808: fix OF node reference imbalance - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap - [amd64] media: intel/ipu6: fix error pointer dereference - media: saa7164: add ioremap return checks and cleanups - spi: aspeed-smc: fix controller deregistration - [amd64] platform/x86: hp-wmi: Ignore backlight and FnLock events - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy - [arm64] drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() - [amd64] drm/i915/psr: Init variable to avoid early exit from et alignment loop - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. - drm/amdgpu: gate VM CPU HDP flush on reset lock - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x - drm/amdkfd: Add upper bound check for num_of_nodes - drm/amdgpu: Add bounds checking to ib_{get,set}_value - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB - drm/amdgpu/vce: Prevent partial address patches - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg - drm/amd/display: Change dither policy for 10 bpc output back to dithering - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() - drm/amdkfd: validate SVM ioctl nattr against buffer size - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() - drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() - drm/radeon: add missing revision check for CI - drm/amdgpu: zero-initialize GART table on allocation - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds - drm/amdkfd: Make all TLB-flushes heavy-weight - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - [arm64] dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL - batman-adv: fix integer overflow on buff_pos - batman-adv: reject new tp_meter sessions during teardown - batman-adv: stop caching unowned originator pointers in BAT IV - batman-adv: bla: prevent use-after-free when deleting claims - batman-adv: bla: only purge non-released claims - batman-adv: bla: put backbone reference on failed claim hash insert - usb: typec: tcpm: reset internal port states on soft reset AMS - usb: dwc3: Move GUID programming after PHY initialization - ALSA: hda: cs35l56: Propagate ASP TX source control errors - ALSA: misc: Use guard() for spin locks - ALSA: core: Serialize deferred fasync state checks - ALSA: seq: Notify client and port info changes - ALSA: seq: Fix UMP group 16 filtering - Bluetooth: hci_conn: fix potential UAF in create_big_sync - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration - [arm64,armhf] spi: tegra114: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - block: cleanup blkdev_report_zones() - block: reorganize struct blk_zone_wplug - block: fix zone write plug removal - tracefs: Fix default permissions not being applied on initial mount - fbcon: Avoid OOB font access if console rotation fails - mm/damon/core: disallow time-quota setting zero esz - mm/damon/core: implement damon_kdamond_pid() - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values - bonding: fix use-after-free due to enslave fail after slave array update (CVE-2026-23171) - io_uring/kbuf: support min length left for incremental buffers - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() - btrfs: fix double free in create_space_info_sub_group() error path - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak - tracing/probes: Limit size of event probe to 3K - batman-adv: stop tp_meter sessions during mesh teardown - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - vsock: fix buffer size clamping order - vsock/virtio: fix length and offset in tap skb for split packets - vsock/virtio: fix empty payload in tap skb for non-linear buffers - vsock/virtio: fix accept queue count leak on transport mismatch - drm/amdgpu/vcn3: Avoid overflow on msg bound check - drm/amdgpu/vcn4: Avoid overflow on msg bound check . [ Salvatore Bonaccorso ] * Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (Closes: #1136790) * net: skbuff: preserve shared-frag marker during coalescing (CVE-2026-46300) * net: skbuff: propagate shared-frag marker through frag-transfer helpers linux-signed-amd64 (6.12.90+1~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.90-1~bpo12+1 . * Rebuild for bookworm-backports linux-signed-amd64 (6.12.88+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.88-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic linux-signed-amd64 (6.12.88+1~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.88-1~bpo12+1 . * Rebuild for bookworm-backports linux-signed-arm64 (6.12.94+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.94-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.91 - io_uring/kbuf: use mem_is_zero() - blk-cgroup: wait for blkcg cleanup before initializing new disk - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START - fs/mbcache: cancel shrink work before destroying the cache - md/raid1: fix the comparing region of interval tree - drbd: Balance RCU calls in drbd_adm_dump_devices() - loop: fix partition scan race between udev and loop_reread_partitions() - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() - pstore/ram: fix resource leak when ioremap() fails - md: wake raid456 reshape waiters before suspend - btrfs: pass struct btrfs_inode to clone_copy_inline_extent() - btrfs: fix deadlock between reflink and transaction commit when using flushoncommit - [amd64] ACPI: x86: cmos_rtc: Clean up address space handler driver - [amd64] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver - devres: fix missing node debug info in devm_krealloc() - thermal/drivers/spear: Fix error condition for reading st,thermal-flags - debugfs: check for NULL pointer in debugfs_create_str() - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() - soundwire: debugfs: initialize firmware_file to empty string - PCI: use generic driver_override infrastructure - platform/wmi: use generic driver_override infrastructure - [s390x] cio: use generic driver_override infrastructure - bus: fsl-mc: use generic driver_override infrastructure - irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter - hrtimers: Update the return type of enqueue_hrtimer() - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() - hrtimer: Reduce trace noise in hrtimer_start() - locking: Fix rwlock support in - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet - bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n - [s390x] bpf: Zero-extend bpf prog return values and kfunc arguments - params: Replace __modinit with __init_or_module - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control - wifi: mt76: mt7615: fix use_cts_prot support - wifi: mt76: mt7915: fix use_cts_prot support - wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() - wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor - wifi: mt76: mt7921: Place upper limit on station AID - [arm64] cpufeature: Make PMUVer and PerfMon unsigned - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() - wifi: mt76: mt7921: fix 6GHz regulatory update on connection - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path - bpf: Fix variable length stack write over spilled pointers - bpf,arc_jit: Fix missing newline in pr_err messages - wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() - r8152: fix incorrect register write to USB_UPHY_XTAL - [powerpc*] crash: fix backup region offset update to elfcorehdr - [powerpc*] crash: Update backup region offset in elfcorehdr on memory hotplug - macvlan: annotate data-races around port->bc_queue_len_used - bpf: fix end-of-list detection in cgroup_storage_get_next_key() - bpf: Fix stale offload->prog pointer after constant blinding - wifi: brcmfmac: Fix error pointer dereference - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() - wifi: ath10k: fix station lookup failure during disconnect - ACPI: AGDI: fix missing newline in error message - [arm64] kexec: Remove duplicate allocation for trans_pgd - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb - net: bcmgenet: add bcmgenet_has_* helpers - net: bcmgenet: move DESC_INDEX flow to ring 0 - net: bcmgenet: support reclaiming unsent Tx packets - net: bcmgenet: switch to use 64bit statistics - net: bcmgenet: fix racing timeout handler - eth: fbnic: Use wake instead of start - netfilter: xt_socket: enable defrag after all other checks - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - bpf: fix mm lifecycle in open-coded task_vma iterator - bpf: switch task_vma iterator from mmap_lock to per-VMA locks - bpf: return VMA snapshot from task_vma iterator - bpf: Fix RCU stall in bpf_fd_array_map_clear() - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf - bpf: Relax scalar id equivalence for state pruning - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars - net/sched: act_ct: Only release RCU read lock after ct_ft - net: airoha: Implement BQL support - net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() - bpf: Allow instructions with arena source and non-arena dest registers - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace - bpf: Fix OOB in pcpu_init_value - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 - net: phy: fix a return path in get_phy_c45_ids() - net/mlx5e: Fix features not applied during netdev registration - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec - net: phy: qcom: at803x: Use the correct bit to disable extended next page - ipv4: udp: fix typos in comments - ipv6: udp: fix typos in comments - udp: Force compute_score to always inline - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init(). - sctp: fix missing encap_port propagation for GSO fragments - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master - drm/komeda: fix integer overflow in AFBC framebuffer size check - ASoC: SOF: ipc3: Use standard dev_dbg API - ASoC: add symmetric_ prefix for dai->rate/channels/sample_bits - ASoC: soc-compress: use function to clear symmetric params - drm/sun4i: backend: fix error pointer dereference - ASoC: sti: Return errors from regmap_field_alloc() - ASoC: sti: use managed regmap_field allocations - dm cache: fix null-deref with concurrent writes in passthrough mode - dm cache: fix write path cache coherency in passthrough mode - dm cache: fix write hang in passthrough mode - dm cache policy smq: fix missing locks in invalidating cache blocks - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching - platform/chrome: chromeos_tbmc: Drop wakeup source on remove - PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs encoding - PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() - PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() - dm cache metadata: fix memory leak on metadata abort retry - dm log: fix out-of-bounds write due to region_count overflow - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check - spi: spi-nxp-fspi: enable runtime pm for fspi - spi: nxp-fspi: Use reinit_completion() for repeated operations - spi: fsl-qspi: Use reinit_completion() for repeated operations - media: i2c: og01a1b: Replace client->dev usage - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe - drm/v3d: Handle error from drm_sched_entity_init() - drm/sun4i: Fix resource leaks - drm/amdgpu: Add default case in DVI mode validation - dm init: ensure device probing has finished in dm-mod.waitfor= - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break - crypto: tegra - finalize crypto req on error - crypto: tegra - Transfer HASH init function to crypto engine - crypto: tegra - Reserve keyslots to allocate dynamically - crypto: tegra - Disable softirqs before finalizing request - crypto: atmel - Use unregister_{aeads,ahashes,skciphers} - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs - padata: Remove cpu online check from cpu add and removal - padata: Put CPU offline callback in ONLINE section to allow failure - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation - drm/amdgpu/gfx10: look at the right prop for gfx queue priority - drm/amdgpu/gfx11: look at the right prop for gfx queue priority - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo - drm/imagination: Switch reset_reason fields from enum to u32 - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() - [arm64] drm/msm/dpu: fix mismatch between power and frequency - [arm64] drm/msm/dsi: add the missing parameter description - [arm64] drm/msm/dsi: fix bits_per_pclk - [arm64] drm/msm/dsi: fix hdisplay calculation for CMD mode panel - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first - drm/panel: simple: Correct G190EAN01 prepare timing - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board - drm/amdgpu: add amdgpu_device reference in ip block - drm/amdgpu: update the handle ptr in dump_ip_state - drm/amdgpu: update the handle ptr in early_init - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled - hwmon: Switch back to struct platform_driver::remove() - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') - [amd64] ASoC: SOF: Intel: hda: Place check before dereference - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/shrinker: Fix can_block() logic - [arm64] drm/msm/a6xx: Fix dumping A650+ debugbus blocks - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - pmdomain: ti: omap_prm: Fix a reference leak on device node - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() - PM: domains: De-constify fields in struct dev_pm_domain_attach_data - ASoC: fsl_micfil: Add access property for "VAD Detected" - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() - ASoC: fsl_micfil: Fix event generation in micfil_quality_set() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() - ASoC: fsl_easrc: Change the type for iec958 channel status controls - [amd64] iommu/amd: Remove protection_domain.dev_cnt variable - [amd64] iommu/amd: xarray to track protection_domain->iommu list - [amd64] iommu/amd: Do not detach devices in domain free path - [amd64] iommu/amd: Reduce domain lock scope in attach device path - [amd64] iommu/amd: Rearrange attach device code - [amd64] iommu/amd: Convert dev_data lock from spinlock to mutex - [amd64] iommu/amd: Introduce helper function to update 256-bit DTE - [amd64] iommu/amd: Introduce helper function get_dte256() - [amd64] iommu/amd: Fix clone_alias() to use the original device's devid - [arm64] ASoC: qcom: qdsp6: topology: check widget type before accessing data - crypto: qat - introduce fuse array - crypto: qat - disable 4xxx AE cluster when lead engine is fused off - crypto: qat - disable 420xx AE cluster when lead engine is fused off - crypto: qat - fix type mismatch in RAS sysfs show functions - crypto: qat - use swab32 macro - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] - PCI: Enable AtomicOps only if Root Port supports them - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found - Documentation: fix a hugetlbfs reservation statement - ALSA: scarlett2: Add missing sentinel initializer field - ASoC: SOF: compress: return the configured codec from get_params - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports - PCI: tegra194: Fix polling delay for L2 state - PCI: tegra194: Increase LTSSM poll time on surprise link down - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down - PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0() - PCI: tegra194: Don't force the device into the D0 state before L2 - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode - PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" - PCI: tegra194: Disable direct speed change for Endpoint mode - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode - PCI: tegra194: Allow system suspend when the Endpoint link is not up - PCI: tegra194: Free up Endpoint resources during remove() - PCI: tegra194: Use DWC IP core version - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on - spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback - ALSA: sc6000: Keep the programmed board state in card-private data - dm cache: fix missing return in invalidate_committed's error path - crypto: jitterentropy - replace long-held spinlock with mutex - ALSA: hda/realtek - fixed speaker no sound update - gfs2: Call unlock_new_inode before d_instantiate - net/socket.c: switch to CLASS(fd) - fdget(), trivial conversions - fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() - quota: Fix race of dquot_scan_active() with quota deactivation - gfs2: add some missing log locking - gfs2: prevent NULL pointer dereference during unmount - efi/capsule-loader: fix incorrect sizeof in phys array reallocation - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine - [arm64] dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon - memory: tegra124-emc: Fix dll_change check - memory: tegra30-emc: Fix dll_change check - [arm64] dts: imx8-apalis: Fix LEDs name collision - [arm64] dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) - iommufd: vfio compatibility extension check for noiommu mode - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7981b: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count - [arm64] dts: qcom: msm8953-xiaomi-vince: correct wled ovp value - [arm64] dts: qcom: msm8953-xiaomi-daisy: fix backlight - [arm64] dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi - [arm64] dts: rockchip: Correct Fan Supply for Gameforce Ace - [arm64] dts: rockchip: Correct Joystick Axes on Gameforce Ace - [arm64] soc: qcom: ocmem: make the core clock optional - [arm64] soc: qcom: ocmem: register reasons for probe deferrals - [arm64] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available - bus: rifsc: fix RIF configuration check for peripherals - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix GIC_ITS range length - [arm64] dts: qcom: sm8650: Fix GIC_ITS range length - [arm64] dts: qcom: sm8550: Fix xo clock supply of platform SD host controller - [arm64] dts: qcom: sm8650: Fix xo clock supply of SD host controller - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - [arm64] dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins - [arm64] dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins - [arm64] dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label - [arm64] dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing - [arm64] dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit - [arm64] dts: lx2160a: remove duplicate pinmux nodes - [arm64] dts: lx2160a: rename pinmux nodes for readability - [arm64] dts: lx2160a: add sda gpio references for i2c bus recovery - [arm64] dts: lx2160a: change zeros to hexadecimal in pinmux nodes - [arm64] dts: lx2160a: complete pinmux for rcwsr12 configuration word - [arm64] dts: imx8qm-mek: switch Type-C connector power-role to dual - [arm64] dts: imx8qxp-mek: switch Type-C connector power-role to dual - soc/tegra: cbb: Set ERD on resume for err interrupt - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure - ocfs2/dlm: validate qr_numregions in dlm_match_regions() - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison - soc: qcom: llcc: fix v1 SB syndrome register offset - [arm64] soc: qcom: aoss: compare against normalized cooling state - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP - [arm64] xor: fix conflicting attributes for xor_block_template - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP - ocfs2: fix listxattr handling when the buffer is full - ocfs2: validate bg_bits during freefrag scan - ocfs2: validate group add input before caching - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function - soundwire: bus: demote UNATTACHED state warnings to dev_dbg() - dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - soundwire: cadence: Clear message complete before signaling waiting thread - tracing: Rebuild full_name on each hist_field_name() call - hte: tegra194: remove Kconfig dependency on Tegra194 SoC - remoteproc: xlnx: Fix sram property parsing - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: make asus_resume adhere to linux kernel coding standards - HID: asus: do not abort probe when not necessary - mtd: physmap_of_gemini: Fix disabled pinctrl state check - ima_fs: don't bother with removal of files in directory we'll be removing - ima_fs: get rid of lookup-by-dentry stuff - ima_fs: Correctly create securityfs files for unsupported hash algos - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range - mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions - cxl/pci: Check memdev driver binding status in cxl_reset_done() - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() - ext4: fix possible null-ptr-deref in mbt_kunit_exit() - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check - bpf, sockmap: Fix af_unix iter deadlock - bpf, sockmap: Fix af_unix null-ptr-deref in proto update - bpf, sockmap: Take state lock for af_unix iter - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - bpf: Fix NULL deref in map_kptr_match_type for scalar regs - bpf: allow UTF-8 literals in bpf_bprintf_prepare() - bpf: Validate node_id in arena_alloc_pages() - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT - pinctrl: pinctrl-pic32: Fix resource leak - pinctrl: cy8c95x0: remove duplicate error message - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() - pinctrl: cy8c95x0: Avoid returning positive values to user space - perf branch: Avoid incrementing NULL - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace - pinctrl: realtek: Fix function signature for config argument - pinctrl: abx500: Fix type of 'argument' variable - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers - perf lock: Fix option value type in parse_max_stack - perf stat: Fix opt->value type for parse_cache_level - perf tools: Fix module symbol resolution for non-zero .text sh_addr - perf expr: Return -EINVAL for syntax error in expr__find_ids() - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure - ipmi: ssif_bmc: fix message desynchronization after truncated response - ipmi: ssif_bmc: change log level to dbg in irq callback - perf evsel: Add alternate_hw_config and use in evsel__match - perf tool_pmu: Factor tool events into their own PMU - perf python: Add parse_events function - perf cgroup: Update metric leader in evlist__expand_cgroup - perf maps: Fix copy_from that can break sorted by name order - perf util: Kill die() prototype, dead for a long time - reset: replace boolean parameters with flags parameter - reset: Add devres helpers to request pre-deasserted reset controls - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status - backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() - platform/surface: surfacepro3_button: Drop wakeup source on remove - leds: lgm-sso: Remove duplicate assignments for priv->mmap - tty: hvc_iucv: fix off-by-one in number of supported devices - platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - [amd64] platform/x86: asus-wmi: adjust screenpad power/brightness handling - [amd64] platform/x86: asus-wmi: fix screenpad brightness range - tty: serial: ip22zilog: Fix section mispatch warning - fs/ntfs3: terminate the cached volume label after UTF-8 conversion - [amd64] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - [amd64] platform/x86: dell-wmi-sysman: bound enumeration string aggregation - RDMA/core: Prefer NLA_NUL_STRING - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source - scsi: sg: Fix sysctl sg-big-buff register during sg_init() - scsi: sg: Resolve soft lockup issue when opening /dev/sgX - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting - scsi: target: core: Fix integer overflow in UNMAP bounds check - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Add missing GDSCs - clk: qcom: gcc-sc8180x: Use retention for USB power domains - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - clk: imx8mq: Correct the CSI PHY sels - [amd64] x86/um/vdso: Drop VDSO64-y from Makefile - clk: qoriq: avoid format string warning - clk: xgene: Fix mapping leak in xgene_pllclk_init() - dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets - clk: qcom: dispcc-sc7180: Add missing MDSS resets - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON - clk: visconti: pll: initialize clk_init_data to zero - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() - [amd64] drm/i915: Relocate the SKL wm sanitation code - [amd64] drm/i915/wm: Verify the correct plane DDB entry - crypto: sa2ul - Fix AEAD fallback algorithm names - crypto: ccp - copy IV using skcipher ivsize - erofs: add encoded extent on-disk definition - erofs: do sanity check on m->type in z_erofs_load_compact_lcluster() - erofs: avoid infinite loops due to corrupted subpage compact indexes (CVE-2025-68251) - erofs: unify lcn as u64 for 32-bit platforms - [arm64] dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT - PCMCIA: Fix garbled log messages for KERN_CONT - [arm64] dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT - [arm64] dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names - net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir - macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: fix IPv6 route referencing IPv4 nexthop - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch - tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE - tcp: annotate data-races around tp->bytes_sent - tcp: annotate data-races around tp->bytes_retrans - tcp: annotate data-races around tp->dsack_dups - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - tcp: annotate data-races around tp->plb_rehash - ice: update PCS latency settings for E825 10G/25Gb modes - ice: Remove jumbo_remove step from TX path - ice: fix double-free of tx_buf skb - ice: fix ICE_AQ_LINK_SPEED_M for 200G - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks - pppoe: drop PFC frames - net/mlx5: Fix HCA caps leak on notifier init failure - openvswitch: cap upcall PID array size and pre-size vport replies - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO - netfilter: conntrack: remove sprintf usage - netfilter: xtables: restrict several matches to inet family - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check - slip: reject VJ receive packets on instances with no rstate array - slip: bound decode() reads against the compressed packet length - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - pwm: atmel-tcb: Cache clock rates and mark chip as atomic - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() - ksmbd: destroy async_ida in ksmbd_conn_free() - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open - ksmbd: scope conn->binding slowpath to bound sessions only - net/rds: zero per-item info buffer before handing it to visitors - ice: fix timestamp interrupt configuration for E825C - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - net: dsa: realtek: rtl8365mb: fix mode mask calculation - net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() - virtio_net: Split struct virtio_net_rss_config - virtio_net: Fix endian with virtio_net_ctrl_rss - virtio_net: Use new RSS config structs - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() - rtc: abx80x: Disable alarm feature if no interrupt attached - kbuild: builddeb - avoid recompiles for non-cross-compiles - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case - mailbox: mailbox-test: free channels on probe error - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array - mailbox: mailbox-test: don't free the reused channel - mailbox: mailbox-test: initialize struct earlier - mailbox: mailbox-test: make data_ready a per-instance variable - fsnotify: fix inode reference leak in fsnotify_recalc_mask() - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - cgroup: Increment nr_dying_subsys_* from rmdir context - tracing: branch: Fix inverted check on stat tracer registration - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers - netfilter: arp_tables: fix IEEE1394 ARP payload parsing - nvme-pci: fix missed admin queue sq doorbell write - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG - drm/amdgpu: fix spelling typos - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching - netfilter: nf_conntrack_sip: don't use simple_strtoul - [amd64] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ - drm/sysfb: ofdrm: fix PCI device reference leaks - arm64/scs: Fix potential sign extension issue of advance_loc4 - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets - net/sched: netem: only reseed PRNG when seed is explicitly provided - net/sched: netem: validate slot configuration - net/sched: netem: fix slot delay calculation overflow - net/sched: netem: check for negative latency and jitter - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - NFC: trf7970a: Ignore antenna noise when checking for RF field - net/sched: taprio: fix NULL pointer dereference in class dump - neigh: let neigh_xmit take skb ownership - tcp: make probe0 timer handle expired user timeout - net, treewide: define and use MAC_ADDR_STR_LEN - netconsole: allow selection of egress interface via MAC address - netpoll: Extract carrier wait function - netpoll: extract IPv4 address retrieval into helper function - netpoll: fix IPv6 local-address corruption - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams - sched/fair: Clear rel_deadline when initializing forked entities - net: mctp i2c: check length before marking flow active - net: phy: dp83869: fix setting CLK_O_SEL field. - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring - ASoC: codecs: ab8500: Fix casting of private data - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - netconsole: propagate device name truncation in dev_name_store() - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 - ALSA: hda/conexant: Fix missing error check for jack detection - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - drm/xe/debugfs: Correct printing of register whitelist ranges - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() - drm/xe/gsc: Fix BO leak on error in query_compatibility_version() - page_pool: Set `dma_sync` to false for devmem memory provider - net: page_pool: create hooks for custom memory providers - page_pool: fix memory-provider leak in page_pool_create_percpu() error path - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING - iavf: stop removing VLAN filters from PF on interface down - iavf: wait for PF confirmation before removing VLAN filters - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler - ice: fix NULL pointer dereference in ice_reset_all_vfs() - net: tls: fix strparser anchor skb leak on offload RX setup failure - sfc: fix error code in efx_devlink_info_running_versions() - net/sched: cls_flower: revert unintended changes - [arm64] Reserve an extra page for early kernel mapping - smb: client: correctly handle ErrorContextData as a flexible array - smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613) - LoongArch: KVM: Compile switch.S directly into the kernel - ntfs: ->d_compare() must not block - PCI: Initialize temporary device in new_id_store() - net: bcmgenet: Initialize u64 stats seq counter - net: bcmgenet: fix leaking free_bds - [amd64] iommu/amd: Reorder attach device code - [amd64] iommu/amd: Put list_add/del(dev_data) back under the domain->lock - perf tool_pmu: Fix aggregation on duration_time - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - netpoll: Extract IPv6 address retrieval function - netpoll: pass buffer size to egress_dev() to avoid MAC truncation - page_pool: fix incorrect mp_ops error handling - crypto: af_alg - Cap AEAD AD length to 0x80000000 - i40e: Cleanup PTP pins on probe failure - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path - netfilter: nf_conntrack_sip: get helper before allocating expectation - audit: fix incorrect inheritable capability in CAPSET records - Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" - netfilter: nft_ct: fix missing expect put in obj eval - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic - [amd64] KVM: x86: Fix Xen hypercall tracepoint argument assignment - netfilter: nf_tables: unconditionally bump set->nelems before insertion (CVE-2026-23272) - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands - smb/client: fix possible infinite loop and oob read in symlink_data() - [amd64] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans - ALSA: usb-audio: Bound MIDI endpoint descriptor scans - ceph: fix a buffer leak in __ceph_setxattr() - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - [powerpc*] warp: Fix error handling in pika_dtm_thread - netfs: fix error handling in netfs_extract_user_iter() - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining - libceph: Fix potential out-of-bounds access in osdmap_decode() - libceph: Fix potential null-ptr-deref in decode_choose_args() - libceph: Fix potential out-of-bounds access in crush_decode() - libceph: handle rbtree insertion error in decode_choose_args() - [amd64] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [amd64] drm/i915: skip __i915_request_skip() for already signaled requests - drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - drm/xe/dma-buf: handle empty bo and UAF races - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - drm/gma500/oaktrail_lvds: fix hang on init failure - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init - iommufd: Fix return value of iommufd_fault_fops_write() - eventfs: Use list_add_tail_rcu() for SRCU-protected children list - drm/v3d: Reject empty multisync extension to prevent infinite loop - btrfs: use inode already stored in local variable at btrfs_rmdir() - btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() - btrfs: fix missing last_unlink_trans update when removing a directory - smb: client: Use FullSessionKey for AES-256 encryption key derivation - btrfs: do not mark inode incompressible after inline attempt fails - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() - sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new - mptcp: pm: prio: skip closed subflows - mptcp: drop __mptcp_fastopen_gen_msk_ackseq() - mptcp: fix rx timestamp corruption on fastopen - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix false alarm of lockdep on cp_global_sem lock - spi: sifive: Simplify clock handling with devm_clk_get_enabled() - spi: sifive: fix controller deregistration - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - netfs: Fix potential uninitialised var in netfs_extract_user_iter() https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.92 - mptcp: sync the msk->sndbuf at accept() time - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount (CVE-2026-46158) - mptcp: pm: ADD_ADDR rtx: free sk if last (CVE-2026-46170) - ksmbd: validate owner of durable handle on reconnect (CVE-2026-31717) - drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() (CVE-2026-46216) - [s390x] debug: Reject zero-length input before trimming a newline - Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" - Revert "perf tool_pmu: Fix aggregation on duration_time" - Revert "perf python: Add parse_events function" - Revert "perf tool_pmu: Factor tool events into their own PMU" - bridge: mrp: reject zero test interval to avoid OOM panic (CVE-2026-31420) - spi: spi-dw-dma: fix print error log when wait finish transaction (CVE-2026-31560) - Revert "x86/vdso: Fix output operand size of RDPID" - sched/deadline: Less agressive dl_server handling - sched/deadline: Fix dl_server_stopped() - sched/deadline: Fix dl_server getting stuck - sched/deadline: Fix dl_server behaviour - sched/deadline: Stop dl_server before CPU goes offline - ksmbd: close durable scavenger races against m_fp_list lookups - af_unix: Give up GC if MSG_PEEK intervened. (CVE-2026-23394) - drm/imagination: Synchronize interrupts before suspending the GPU (CVE-2026-23469) - ata: libata-scsi: improve readability of ata_scsi_qc_issue() - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS - ata: libata-scsi: do not needlessly defer commands when using PMP with FBS - perf parse-events: Expose/rename config_term_name - Revert "ice: fix double-free of tx_buf skb" - Revert "ice: Remove jumbo_remove step from TX path" - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 - net/mlx5e: Trigger neighbor resolution for unresolved destinations - net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init - [amd64] x86/fgraph: Fix return_to_handler regs.rsp value - [amd64] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set - [riscv64] fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS - [riscv64] fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler (CVE-2025-22069) - hwmon: (pmbus/core) Protect regulator operations with mutex - [arm64] Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL - sysfs: don't remove existing directory on update failure - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() - ksmbd: fix null pointer dereference in compare_guid_key() - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow - ksmbd: validate SID in parent security descriptor during ACL inheritance - smb: client: require net admin for CIFS SWN netlink - smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() - smb: client: use data_len for SMB2 READ encrypted folioq copy - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX - ALSA: ua101: Reject too-short USB descriptors - ALSA: pcm: Don't setup bogus iov_iter for silencing - ALSA: asihpi: Fix potential OOB array access at reading cache - efi: Allocate runtime workqueue before ACPI init - io_uring/waitid: clear waitid info before copying it to userspace - drivers/base/memory: fix memory block reference leak in poison accounting - ipv6: ioam: refresh hdr pointer before ioam6_event() - mm/memory_hotplug: fix memory block reference leak on remove - net: wwan: iosm: fix potential memory leaks in ipc_imem_init() - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer - Bluetooth: MGMT: validate Add Extended Advertising Data length - Bluetooth: serialize accept_q access - phonet/pep: disable BH around forwarded sk_receive_skb() - net: bcmgenet: keep RBUF EEE/PM disabled - net: ifb: report ethtool stats over num_tx_queues - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() - netfilter: ip6t_hbh: reject oversized option lists - netfilter: nf_queue: hold bridge skb->dev while queued - netfilter: ipset: stop hash:* range iteration at end - netfilter: nft_inner: Fix IPv6 inner_thoff desync - sched_ext: Fix missing warning in scx_set_task_state() default case - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path - cgroup/cpuset: Reset DL migration state on can_attach() failure - fs/ntfs3: handle attr_set_size() errors when truncating files - l2tp: use list_del_rcu in l2tp_session_unhash - qed: fix double free in qed_cxt_tables_alloc() - ring-buffer: Fix reporting of missed events in iterator - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() - vsock/vmci: fix UAF when peer resets connection during handshake - vsock/virtio: reset connection on receiving queue overflow - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - rbd: eliminate a race in lock_dwork draining on unmap - lsm: hold cred_guard_mutex for lsm_set_self_attr() - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index - ice: fix setting promisc mode while adding VID filter - ice: restore PTP Rx timestamp config after ethtool set-channels - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - af_unix: Fix UAF read of tail->len in unix_stream_data_wait() - wifi: mac80211: consume only present negotiated TTLM maps - cifs: Fix busy dentry used after unmounting - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [arm64] probes: Handle probes on hinted conditional branch instructions - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits - [arm64] KVM: arm64: vgic: Free private_irqs when init fails after allocation - [riscv64] kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe - spi: qup: fix error pointer deref after DMA setup failure - [arm64] phy: tegra: xusb: Fix per-pad high-speed termination calibration - scsi: isci: Fix use-after-free in device removal path - spi: ep93xx: fix error pointer deref after DMA setup failure - spi: sprd: fix error pointer deref after DMA setup failure - spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - device property: set fwnode->secondary to NULL in fwnode_init() - drm/virtio: use uninterruptible resv lock for plane updates - drm/amdgpu/vpe: Force collaborate sync after TRAP - drm/bridge: it66121: acquire reset GPIO in probe - drm/bridge: megachips: remove bridge when irq request fails - drm/amd/display: Fix integer overflow in bios_get_image() - drm/amd/display: Validate GPIO pin LUT table size before iterating - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown - batman-adv: dat: handle forward allocation error - batman-adv: fix fragment reassembly length accounting - batman-adv: fix tp_meter counter underflow during shutdown - batman-adv: frag: disallow unicast fragment in fragment - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock - hwmon: (pmbus/adm1266) reject implausible blackbox record_count - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors - [arm64] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume - HID: uclogic: Fix regression of input name assignment - [riscv64] mm: Fixup no5lvl failure when vaddr is invalid - [arm64] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 - ALSA: hda: cs35l56: Put ACPI device after setting companion - ALSA: hda: cs35l41: Put ACPI device on missing physical node - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - netfilter: x_tables: unregister the templates first - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() - tcp: Fix imbalanced icsk_accept_queue count. - ice: fix setting RSS VSI hash for E830 - ice: fix locking in ice_dcb_rebuild() - net: lan966x: avoid unregistering netdev on register failure - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - NFSD: Fix infinite loop in layout state revocation - irqchip/ath79-cpu: Remove unused function - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation - nsfs: fix wrong error code returned for pidns ioctls - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT - zonefs: handle integer overflow in zonefs_fname_to_fno - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). - [powerpc*] fix dead default for GUEST_STATE_BUFFER_TEST - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call - netfs: Fix overrun check in netfs_extract_user_iter() - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone - netfs: Defer the emission of trace_netfs_folio() - netfs: Fix streaming write being overwritten - netfs: Fix potential deadlock in write-through mode - netfs: Fix write streaming disablement if fd open O_RDWR - netfs: Fix early put of sink folio in netfs_read_gaps() - netfs: Fix partial invalidation of streaming-write folio - netfs: Fix a few minor bugs in netfs_page_mkwrite() - netfs: Remove unnecessary references to pages - netfs: Fix folio->private handling in netfs_perform_write() - net: ethernet: cortina: Make RX SKB per-port - net: ethernet: cortina: Drop half-assembled SKB - net: ethernet: cortina: Carry over frag counter - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference - wifi: ath11k: fix error path leaks in some WMI WOW calls - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() - wifi: ath10k: skip WMI and beacon transmission when device is wedged - blk-integrity: remove seed for user mapped buffers - block: don't overwrite bip_vcnt in bio_integrity_copy_user() - block: recompute nr_integrity_segments in blk_insert_cloned_request - HID: quirks: really enable the intended work around for appledisplay - block: modify bio_integrity_map_user to accept iov_iter as argument - block: drop direction param from bio_integrity_copy_user() - blk-integrity: use simpler alignment check - blk-integrity: enable p2p source and destination - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() - accel/qaic: Add overflow check to remap_pfn_range during mmap - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - [arm64] drm/msm/dsi: don't dump registers past the mapped region - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN - [powerpc*] time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - net: phy: DP83TC811: add reading of abilities - [amd64] x86/xen: Fix xen_e820_swap_entry_with_ram() - tls: Preserve sk_err across recvmsg() when data has been copied - net/mlx5: Do not restore destination-less TC rules - scsi: sd: Fix return code handling in sd_spinup_disk() - ALSA: scarlett2: Add missing error check when initialise Autogain Status - io_uring/net: punt IORING_OP_BIND async if it needs file create - btrfs: fix squota accounting during enable generation - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions - drm/xe/gsc: Fix double-free of managed BO in error path - drm/xe/vf: Fix signature of print functions - drm/xe/pf: Fix CFI failure in debugfs access - wifi: ath11k: fix peer resolution on rx path when peer_id=0 - ice: ptp: serialize E825 PHY timer start with PTP lock - [amd64] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP - [arm64] net: dsa: mt7530: fix FDB entries not aging out with short timeout - [arm64] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer - platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 - [amd64] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL - [amd64] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - [amd64] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL - RDMA/rtrs: Fix use-after-free in path file creation cleanup - net: bridge: Flush multicast groups when snooping is disabled - bridge: mcast: Fix a possible use-after-free when removing a bridge port - pds_core: fix error handling in pdsc_devcmd_wait - pds_core: fix debugfs_lookup dentry leak and error handling - wifi: mac80211: fix MLE defragmentation - ALSA: seq: Serialize UMP output teardown with event_input - tracing: Avoid NULL return from hist_field_name() on truncation - Bluetooth: btmtk: fix urb->setup_packet leak in error paths - net: ag71xx: check error for platform_get_irq - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() - drm/xe/oa: Fix exec_queue leak on width check in stream open - [arm64] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs - net: mana: validate rx_req_idx to prevent out-of-bounds array access - pds_core: ensure null-termination for firmware version strings - net: gro: don't merge zcopy skbs - landlock: Fix TCP handling of short AF_UNSPEC addresses - block: make bio_integrity_map_user() static inline - security/keys: fix missed RCU read section on lookup https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.93 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - [arm64] drm/v3d: Fix use-after-free of CPU job query arrays on error path - [arm64] drm/v3d: Release indirect CSD GEM reference on CPU job free - net/sched: cls_fw: fix NULL dereference of "old" filters before change() - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930) - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - bcache: fix uninitialized closure object - net: cpsw_new: Fix potential unregister of netdev that has not been registered yet (CVE-2026-43219) - [arm64] Introduce esr_is_ubsan_brk() - [arm64] debug: clean up single_step_handler logic - [arm64] refactor aarch32_break_handler() - [arm64] debug: call software breakpoint handlers statically - [arm64] debug: call step handlers statically - [arm64] debug: remove break/step handler registration infrastructure - [arm64] entry: Add entry and exit functions for debug exceptions - [arm64] debug: split hardware breakpoint exception entry - [arm64] debug: refactor reinstall_suspended_bps() - [arm64] debug: split single stepping exception entry - [arm64] debug: split hardware watchpoint exception entry - [arm64] debug: split brk64 exception entry - [arm64] debug: split bkpt32 exception entry - [arm64] debug: remove debug exception registration infrastructure - [arm64] debug: always unmask interrupts in el0_softstp() - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - vsock: keep poll shutdown state consistent - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - [s390x] net/iucv: fix locking in .getsockopt - scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - ALSA: pcm: oss: Fix setup list UAF on proc write error - [amd64] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - net: hsr: fix potential OOB access in supervision frame handling - [amd64] accel/ivpu: prevent uninitialized data bug in debugfs - gpio: mxc: fix irq_high handling - net: Avoid checksumming unreadable skb tail on trim - ethtool: rss: fix hkey leak when indir_size is 0 - ethtool: module: avoid leaking a netdev ref on module flash errors - ethtool: module: check fw_flash_in_progress under rtnl_lock - ethtool: module: fix cleanup if socket used for flashing multiple devices - ethtool: cmis: require exact CDB reply length - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl - net: ethtool: Add new parameters and a function to support EPL - net: ethtool: Add support for writing firmware blocks using EPL payload - ethtool: cmis: validate start_cmd_payload_size from module - ethtool: cmis: validate fw->size against start_cmd_payload_size - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - ASoC: codecs: simple-mux: Fix enum control bounds check - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - bonding: refuse to enslave CAN devices - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error - ethtool: pse-pd: fix missing ethnl_ops_complete() - ethtool: strset: fix header attribute index in ethnl_req_get_phydev() - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback - ethtool: eeprom: add more safeties to EEPROM Netlink fallback - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" - net/sched: fix packet loop on netem when duplicate is on - net/sched: act_mirred: Move the recursion counter struct netdev_xmit - net/sched: act_mirred: add loop detection - net: Introduce skb tc depth field to track packet loops - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop - net/sched: act_mirred: Fix return code in early mirred redirect error paths - net/handshake: Use spin_lock_bh for hn_lock - nvme-tcp: store negative errno in queue->tls_err - net/handshake: Pass negative errno through handshake_complete() - remove pointless includes of - net/handshake: Take a long-lived file reference at submit - net/handshake: Drain pending requests at net namespace exit - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close - [arm64,armhf] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() - [amd64,arm64] net: mana: Add NULL guards in teardown path to prevent panic on attach failure - sctp: fix race between sctp_wait_for_connect and peeloff - ipv6: fix possible infinite loop in rt6_fill_node() - ipv6: fix possible infinite loop in fib6_select_path() - net: skbuff: fix pskb_carve leaking zcopy pages - perf: Fix dangling cgroup pointer in cpuctx - batman-adv: v: stop OGMv2 on disabled interface - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: tt: reject oversized local TVLV buffers - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: avoid role confusion in tp_list - [s390x] cio: Restore GFP_DMA for CHSC allocation - batman-adv: tp_meter: directly shut down timer on cleanup - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303) - media: rc: fix race between unregister and urb/irq callbacks - media: rc: ttusbir: fix inverted error logic - inet: frags: add inet_frag_queue_flush() - inet: frags: flush pending skbs in fqdir_pre_exit() (CVE-2025-68768) - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: introduce hid_safe_input_report() - HID: core: Fix size_t specifier in hid_report_raw_event() - [amd64] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register - [amd64] drm/i915/psr: Read Intel DPCD workaround register - drm/dp: Add eDP 1.5 bit definition - [amd64] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used - [arm64] io: Rename ioremap_prot() to __ioremap_prot() - [arm64] io: Extract user memory type in ioremap_prot() (CVE-2026-23346) - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X - batman-adv: tt: prevent TVLV entry number overflow - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers - usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT - usb: typec: ucsi: validate connector number in ucsi_connector_change() - USB: serial: safe_serial: fix memory corruption with small endpoint - media: rc: igorplugusb: fix control request setup packet - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range - auxdisplay: line-display: fix OOB read on zero-length message_store() - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - Bluetooth: HIDP: fix missing length checks in hidp_input_report() - Bluetooth: ISO: fix UAF in iso_recv_frame - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync - Input: xpad - fix out-of-bounds access for Share button - parport: Fix race between port and client registration (Closes: #1130365) - USB: cdc-acm: Fix bit overlap and move quirk definitions to header - [arm64] KVM: arm64: PMU: Preserve AArch32 counter low bits - [amd64] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC - [amd64] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use - [amd64] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests - [amd64] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - [amd64] KVM: SEV: Compute the correct max length of the in-GHCB scratch area - [amd64] KVM: SEV: Check PSC request indices against the actual size of the buffer - [amd64] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer - [amd64] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux - iio: adc: npcm: fix unbalanced clk_disable_unprepare() - iio: dac: max5821: fix return value check in powerdown sync - iio: dac: ad5686: fix input raw value check - iio: dac: ad5686: acquire lock when doing powerdown control - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: gyro: adis16260: fix division by zero in write_raw - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() - USB: serial: omninet: fix memory corruption with small endpoint - usb: cdns3: gadget: fix request skipping after clearing halt - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - wireguard: send: append trailer after expanding head - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ipv6: exthdrs: refresh nh after handling HAO option - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - xfrm: input: hold netns during deferred transport reinjection - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - net: skbuff: fix missing zerocopy reference in pskb_carve helpers - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: xpad - add "Nova 2 Lite" from GameSir - Input: xpad - add support for ASUS ROG RAIKIRI II - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [amd64] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [amd64] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - counter: Fix refcount leak in counter_alloc() error path - tty: serial: pch_uart: add check for dma_alloc_coherent() - tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - usb: typec: tcpm: improve handling of DISCOVER_MODES failures - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - usb: gadget: f_fs: copy only received bytes on short ep0 read - usb: gadget: f_fs: serialize DMABUF cancel against request completion - [amd64] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - [amd64] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - scsi: target: iscsi: Validate CHAP_R length before base64 decode - drm/hyperv: validate resolution_count and fix WIN8 fallback - drm/hyperv: validate VMBus packet size in receive callback - [amd64] drm/i915: Fix potential UAF in TTM object purge - drm/amd/pm/si: Disregard vblank time when no displays are connected - serial: altera_jtaguart: handle uart_add_one_port() failures - serial: qcom-geni: fix UART_RX_PAR_EN bit position - serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ - serial: sh-sci: fix memory region release in error path - serial: zs: Fix swapped RI/DSR modem line transition counting - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger - drm/amdkfd: Check for pdd drm file first in CRIU restore path - serial: dz: Fix bootconsole message clobbering at chip reset - serial: dz: Fix bootconsole handover lockup - serial: dz: Convert to use a platform device - serial: zs: Fix bootconsole handover lockup - serial: zs: Switch to using channel reset - serial: zs: Convert to use a platform device - USB: serial: cypress_m8: fix memory corruption with small endpoint - USB: serial: digi_acceleport: fix memory corruption with small endpoints - xhci: tegra: Fix ghost USB device on dual-role port unplug - iommu: Skip PASID validation for devices without PASID capability - [amd64] x86/boot: Disable stack protector for early boot code - [amd64] x86/kexec: Disable KCOV instrumentation after load_segments() (CVE-2026-43331) - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg - rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer - serdev: Provide a bustype shutdown function - Bluetooth: hci_qca: Migrate to serdev specific shutdown function - Bluetooth: hci_qca: Convert timeout from jiffies to ms - ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes - ALSA: scarlett2: Allow flash writes ending at segment boundary - mm/memory: fix spurious warning when unmapping device-private/exclusive pages - [amd64] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery - net: hsr: defer node table free until after RCU readers - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient - ice: fix VF queue configuration with low MTU values - ring-buffer: Flush and stop persistent ring buffer on panic - mptcp: cleanup fallback dummy mapping generation - mptcp: reset rcv wnd on disconnect - [arm64] tlb: Flush walk cache when unsharing PMD tables - [arm64] octeontx2-pf: avoid double free of pool->stack on AQ init failure - mptcp: introduce the mptcp_init_skb helper - mptcp: handle first subflow closing consistently - mptcp: do not drop partial packets - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() - iio: chemical: scd30: Use guard(mutex) to allow early returns - iio: chemical: scd30: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - ALSA: firewire-motu: Protect register DSP event queue positions - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths - usb: musb: omap2430: Fix use-after-free in omap2430_probe() - usb: typec: ucsi: Check if power role change actually happened before handling - [amd64] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - [amd64] x86/alternatives: Rename 'apply_relocation()' to 'text_poke_apply_relocation()' - [amd64] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock - mm: perform all memfd seal checks in a single place - mm/memfd: fix spelling and grammatical issues - memfd: deny writeable mappings when implying SEAL_WRITE - usb: core: Fix SuperSpeed root hub wMaxPacketSize - ethtool: cmis_cdb: Fix incorrect read / write length extension - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow - [arm64] KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CVE-2026-46316) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.94 - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - USB: serial: mct_u232: fix memory corruption with small endpoint - [armhf] group is_permission_fault() with is_translation_fault() - [armhf] allow __do_kernel_fault() to report execution of memory faults - [armhf] fix hash_name() fault - [armhf] fix branch predictor hardening - net: phy: micrel: fix LAN8814 QSGMII soft reset - wifi: remove zero-length arrays - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - ipv6: mcast: Fix use-after-free when processing MLD queries - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS - [arm64] tee: optee: prevent use-after-free when the client exits before the supplicant - [arm64]soc: qcom: ice: Return -ENODEV if the ICE platform device is not found - erofs: add sysfs node to drop internal caches - erofs: tidy up synchronous decompression - erofs: fix use-after-free on sbi->sync_decompress - ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit - netfilter: synproxy: add mutex to guard hook reference counting - netfilter: conntrack_irc: fix possible out-of-bounds read - netfilter: nft_ct: bail out on template ct in get eval - netfilter: bridge: make ebt_snat ARP rewrite writable - dm cache policy smq: check allocation under invalidate lock - net/sched: act_api: use RCU with deferred freeing for action lifecycle - 6lowpan: fix off-by-one in multicast context address compression - l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() - devlink: Release nested relation on devlink free - [arm64] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c - wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap - pcnet32: stop holding device spin lock during napi_complete_done - net: Annotate sk->sk_write_space() for UDP SOCKMAP. - hsr: Remove WARN_ONCE() in hsr_addr_is_self(). - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - net: fec: fix pinctrl default state restore order on resume - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() - Bluetooth: MGMT: validate advertising TLV before type checks - Bluetooth: RFCOMM: validate skb length in MCC handlers - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling - Bluetooth: bnep: reject short frames before parsing - Bluetooth: fix memory leak in error path of hci_alloc_dev() - Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync - Bluetooth: ISO: Fix not using bc_sid as advertisement SID - Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls - Bluetooth: MGMT: Fix backward compatibility with userspace - [arm64] octeontx2-pf: Fix NDC sync operation errors - [arm64] octeontx2-af: Fix initialization of mcam's entry2target_pffunc field - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options - ptp: vclock: Switch from RCU to SRCU - net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown - net_sched: act_pedit: use RCU in tcf_pedit_dump() - net/sched: fix pedit partial COW leading to page cache corruption (CVE-2026-46331) - [arm64] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow - vxlan: vnifilter: send notification on VNI add - vxlan: vnifilter: fix spurious notification on VNI update - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr - sctp: purge outqueue on stale COOKIE-ECHO handling - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams - ALSA: seq: dummy: fix UMP event stack overread - ima: kexec: skip IMA segment validation after kexec soft reboot - ima: kexec: move IMA log copy from kexec load to execute - spi: cadence-quadspi: fix unclocked access on unbind (CVE-2026-46203) - tools/rv: Fix cleanup after failed trace setup - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - iomap: don't revert iov_iter on partially completed buffered writes - dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() - netlabel: validate unlabeled address and mask attribute lengths - gpio: mvebu: fix NULL pointer dereference in suspend/resume - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls - tcp: restrict SO_ATTACH_FILTER to priv users - net: add pskb_may_pull() to skb_gro_receive_list() - net/mlx4: avoid GCC 10 __bad_copy_from() false positive - net: ibm: emac: Fix use-after-free during device removal - netdev: fix double-free in netdev_nl_bind_rx_doit() - net: phy: clean the sfp upstream if phy probing fails - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove - net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list - net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure - net/mlx5: Use effective affinity mask for IRQ selection - ipv6: sit: reload inner IPv6 header after GSO offloads - net: openvswitch: fix possible kfree_skb of ERR_PTR - r8152: handle the return value of usb_reset_device() - gpio: zynq: fix runtime PM leak on remove - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() - net: guard timestamp cmsgs to real error queue skbs - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: revalidate bridge ports - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister - netfilter: x_tables: avoid leaking percpu counter pointers - netfilter: nf_log: validate MAC header was set before dumping it - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag - [arm64,armhf] net: mvpp2: sync RX data at the hardware packet offset - [arm64,armhf] net: mvpp2: limit XDP frame size to the RX buffer - [arm64,armhf] net: mvpp2: Add metadata support for xdp mode - [arm64,armhf] net: mvpp2: refill RX buffers before XDP or skb use - [arm64,armhf] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS - ipv6: Fix a potential NPD in cleanup_prefix_route() - netfilter: ctnetlink: ensure safe access to master conntrack (CVE-2026-43116) - writeback: Avoid contention on wb->list_lock when switching inodes - writeback: Fix use after free in inode_switch_wbs_work_fn() - xfrm: hold device only for the asynchronous decryption - xfrm: hold dev ref until after transport_finish NF_HOOK (CVE-2026-31663) - [amd64] KVM: VMX: Update SVI during runtime APICv activation - [arm64] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked - clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs - [arm64] clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time - drm/virtio: Fix driver removal with disabled KMS - [arm64,armhf] drm/vc4: fix krealloc() memory leak - drm/xe: fix refcount leak in xe_range_fence_insert() - netfilter: nft_tunnel: fix use-after-free on object destroy - [arm64] tee: shm: fix shm leak in register_shm_helper() - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig - [arm64] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() - [amd64] accel/ivpu: Add bounds checks for firmware log indices - [amd64] accel/ivpu: Add buffer overflow check in MS get_info_ioctl - [amd64] accel/ivpu: Fix signed integer truncation in IPC receive - tracing/probes: Point the error offset correctly for eprobe argument error - mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation - KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying - [amd64] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA - [amd64] drm/i915/gem: Fix phys BO pread/pwrite with offset - pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL - xfrm: espintcp: do not reuse an in-progress partial send - USB: serial: io_ti: fix heap overflow in get_manuf_info() - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow - ALSA: timer: Forcibly close timer instances at closing - ALSA: timer: Fix UAF at snd_timer_user_params() - io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries - drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - mm/huge_memory: update file PMD counter before folio_put() - mm/damon/ops-common: call folio_test_lru() after folio_get() - RDMA/srp: bound SRP_RSP sense copy by the received length - zram: fix use-after-free in zram_bvec_write_partial() - udp: clear skb->dev before running a sockmap verdict - mptcp: fix retransmission loop when csum is enabled - mptcp: close TOCTOU race while computing rcv_wnd - mptcp: allow subflow rcv wnd to shrink - mptcp: sockopt: check timestamping ret value - mptcp: add-addr: always drop other suboptions - wifi: nl80211: reject oversized EMA RNR lists - vsock/vmci: fix sk_ack_backlog leak on failed handshake - timers/migration: Fix livelock in tmigr_handle_remote_up() - ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write - bnxt_en: Fix NULL pointer dereference - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN - inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush - pidfd: refuse access to tasks that have started exiting harder - fs/qnx6: fix pointer arithmetic in directory iteration - fuse: reject fuse_notify() pagecache ops on directories - i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() - i2c: stm32f7: fix timing computation ignoring i2c-analog-filter - i2c: tegra: Fix NOIRQ suspend/resume - Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates - misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context - misc: fastrpc: fix use-after-free race in fastrpc_map_create - misc: fastrpc: fix DMA address corruption due to find_vma misuse - misc: fastrpc: Fix NULL pointer dereference in rpmsg callback - net/mlx5: Reorder completion before putting command entry in cmd_work_handler - net: bonding: fix NULL pointer dereference in bond_do_ioctl() - net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind - nvmem: core: fix use-after-free bugs in error paths - nvmem: layouts: onie-tlv: fix hang on unknown types - [arm64] octeontx2-af: fix memory leak in rvu_setup_hw_resources() - io_uring/kbuf: don't truncate end buffer for bundles - io_uring/wait: fix min_timeout behavior - mm/hugetlb: restore reservation on error in hugetlb folio copy paths - mmc: core: Fix host controller programming for fixed driver type - mmc: dw_mmc-rockchip: Add missing private data for very old controllers - mmc: litex_mmc: Set mandatory idle clocks before CMD0 - mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC - mmc: sdhci: add signal voltage switch in sdhci_resume_host - pmdomain: imx: fix OF node refcount - rtase: Avoid sleeping in get_stats64() - rtase: Reset TX subqueue when clearing TX ring - sctp: diag: reject stale associations in dump_one path - sctp: stream: fully roll back denied add-stream state - [amd64] thunderbolt: Reject zero-length property entries in validator - [amd64] thunderbolt: Bound root directory content to block size - [amd64] thunderbolt: Clamp XDomain response data copy to allocation size - [amd64] thunderbolt: Validate XDomain request packet size before type cast - [amd64] thunderbolt: Limit XDomain response copy to actual frame size - [arm64] slimbus: qcom-ngd-ctrl: fix OF node refcount - [arm64] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration - [arm64] slimbus: qcom-ngd-ctrl: Fix probe error path ordering - [arm64] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd - [arm64] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller - [arm64] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership - [arm64] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD - [arm64] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock - drm/amdkfd: fix NULL dereference in get_queue_ids() - drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 - drm/xe: Clear pending_disable before signaling suspend fence - [arm64,armhf] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups - drm/amdgpu: restart the CS if some parts of the VM are still invalidated - drm/amd/pm: fix smu13 power limit default/cap calculation - drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 - drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range - drm/amd/display: Bound VBIOS record-chain walk loops - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size - drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs - drm/amd/display: Use krealloc_array() in dal_vector_reserve() - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling - driver core: reject devices with unregistered buses - mailbox: Fix NULL message support in mbox_send_message() - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf - sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() - netfilter: nft_fib: fix stale stack leak via the OIFNAME register - mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison - RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper - RDMA/umem: Move umem dmabuf revoke logic into helper function - RDMA/umem: Add helpers for umem dmabuf revoke lock - RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - RDMA/umem: fix kernel-doc warnings - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G - mm/hugetlb: avoid false positive lockdep assertion - mptcp: fix missing wakeups in edge scenarios - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - vsock/virtio: fix potential unbounded skb queue - vsock/virtio: fix skb overhead accounting to preserve full buf_alloc - block: fix handling of dead zone write plugs - [arm64] cputype: Add NVIDIA Olympus definitions - [arm64] cputype: Add C1-Ultra definitions - [arm64] cputype: Add C1-Premium definitions - [arm64] errata: Mitigate TLBI errata on various Arm CPUs - [arm64] errata: Mitigate TLBI errata on NVIDIA Olympus CPU - [arm64] errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - net: introduce EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() - tcp: use EXPORT_IPV6_MOD[_GPL]() - tcp: secure_seq: add back ports to TS offset (CVE-2026-23247) - mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation - vsock/virtio: fix skb overhead overflow on 32-bit builds - netfilter: require Ethernet MAC header before using eth_hdr() . [ Salvatore Bonaccorso ] * [rt] Refresh "ARM: enable irq in translation/section permission fault" * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) linux-signed-arm64 (6.12.94+1~bpo12+1) bookworm-backports; urgency=medium . * Sign kernel from linux 6.12.94-1~bpo12+1 . * Rebuild for bookworm-backports linux-signed-arm64 (6.12.90+2) trixie-security; urgency=high . * Sign kernel from linux 6.12.90-2 . * smb: client: reject userspace cifs.spnego descriptions * net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) linux-signed-arm64 (6.12.90+2~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.90-2~bpo12+1 . * Rebuild for bookworm-backports linux-signed-arm64 (6.12.90+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.90-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.89 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.90 - HID: playstation: Clamp num_touch_reports - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [arm64] dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux - [arm64] regulator: mt6357: fix OF node reference imbalance - [arm64,armhf] regulator: rk808: fix OF node reference imbalance - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap - [amd64] media: intel/ipu6: fix error pointer dereference - media: saa7164: add ioremap return checks and cleanups - spi: aspeed-smc: fix controller deregistration - [amd64] platform/x86: hp-wmi: Ignore backlight and FnLock events - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy - [arm64] drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() - [amd64] drm/i915/psr: Init variable to avoid early exit from et alignment loop - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. - drm/amdgpu: gate VM CPU HDP flush on reset lock - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x - drm/amdkfd: Add upper bound check for num_of_nodes - drm/amdgpu: Add bounds checking to ib_{get,set}_value - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB - drm/amdgpu/vce: Prevent partial address patches - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg - drm/amd/display: Change dither policy for 10 bpc output back to dithering - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() - drm/amdkfd: validate SVM ioctl nattr against buffer size - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() - drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() - drm/radeon: add missing revision check for CI - drm/amdgpu: zero-initialize GART table on allocation - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds - drm/amdkfd: Make all TLB-flushes heavy-weight - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - [arm64] dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL - batman-adv: fix integer overflow on buff_pos - batman-adv: reject new tp_meter sessions during teardown - batman-adv: stop caching unowned originator pointers in BAT IV - batman-adv: bla: prevent use-after-free when deleting claims - batman-adv: bla: only purge non-released claims - batman-adv: bla: put backbone reference on failed claim hash insert - usb: typec: tcpm: reset internal port states on soft reset AMS - usb: dwc3: Move GUID programming after PHY initialization - ALSA: hda: cs35l56: Propagate ASP TX source control errors - ALSA: misc: Use guard() for spin locks - ALSA: core: Serialize deferred fasync state checks - ALSA: seq: Notify client and port info changes - ALSA: seq: Fix UMP group 16 filtering - Bluetooth: hci_conn: fix potential UAF in create_big_sync - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration - [arm64,armhf] spi: tegra114: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - block: cleanup blkdev_report_zones() - block: reorganize struct blk_zone_wplug - block: fix zone write plug removal - tracefs: Fix default permissions not being applied on initial mount - fbcon: Avoid OOB font access if console rotation fails - mm/damon/core: disallow time-quota setting zero esz - mm/damon/core: implement damon_kdamond_pid() - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values - bonding: fix use-after-free due to enslave fail after slave array update (CVE-2026-23171) - io_uring/kbuf: support min length left for incremental buffers - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() - btrfs: fix double free in create_space_info_sub_group() error path - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak - tracing/probes: Limit size of event probe to 3K - batman-adv: stop tp_meter sessions during mesh teardown - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - vsock: fix buffer size clamping order - vsock/virtio: fix length and offset in tap skb for split packets - vsock/virtio: fix empty payload in tap skb for non-linear buffers - vsock/virtio: fix accept queue count leak on transport mismatch - drm/amdgpu/vcn3: Avoid overflow on msg bound check - drm/amdgpu/vcn4: Avoid overflow on msg bound check . [ Salvatore Bonaccorso ] * Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (Closes: #1136790) * net: skbuff: preserve shared-frag marker during coalescing (CVE-2026-46300) * net: skbuff: propagate shared-frag marker through frag-transfer helpers linux-signed-arm64 (6.12.90+1~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.90-1~bpo12+1 . * Rebuild for bookworm-backports linux-signed-arm64 (6.12.88+1) trixie-security; urgency=high . * Sign kernel from linux 6.12.88-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic linux-signed-arm64 (6.12.88+1~bpo12+1) bookworm-backports; urgency=high . * Sign kernel from linux 6.12.88-1~bpo12+1 . * Rebuild for bookworm-backports linuxcnc (1:2.9.4-2+deb13u1) trixie; urgency=medium . * Team upload. . * Added 0010-sanitize-hal-paths.patch to sanitize name for module in rtapi_app (Closes: #1140943). * Added d/gbp.conf to enforce the use of pristine-tar and using correct git branch for stable updates. lxd (5.0.2+git20231211.1364ae4-9+deb13u7) trixie-security; urgency=high . * Cherry-pick fixes for the following security issues: - CVE-2026-9639 / GHSA-j93m-3j9p-m5m8 - CVE-2026-9640 / GHSA-ppq7-4492-5552 - CVE-2026-48749 / GHSA-vghh-5rfx-xhq8 - CVE-2026-48750 / GHSA-9j25-mm2h-2f76 - CVE-2026-48751 / GHSA-47w9-6r3f-938g - CVE-2026-48752 / GHSA-jpf8-86f3-wp38 - CVE-2026-48755 / GHSA-fmc8-p6q7-75cc - CVE-2026-48769 / GHSA-pjff-c2wc-f6jm - CVE-2026-55621 / GHSA-7mr3-28h5-m5vx - CVE-2026-55622 / GHSA-qx75-2p3r-pwm5 lxml-html-clean (0.4.4-1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. - CVE-2026-28348: CSS @import Filter Bypass via Unicode Escapes - CVE-2026-28350: tag injection through default Cleaner configuration . lxml-html-clean (0.4.4-1) unstable; urgency=medium . * New upstream version. * Bump standards version. lxml-html-clean (0.4.3-1) unstable; urgency=medium . * New upstream version. Closes: #1114193. * Bump standards version. mediawiki (1:1.43.9+dfsg-1~deb13u1) trixie-security; urgency=medium . * New upstream version 1.43.9, fixing CVE-2026-58024, CVE-2026-58025, CVE-2026-58026, CVE-2026-58027, CVE-2026-58028, CVE-2026-58029, CVE-2026-58030, CVE-2026-58032, CVE-2026-58033, CVE-2026-58037. This version is not affected by CVE-2026-58036. * Drop patches merged upstream. mediawiki (1:1.43.8+dfsg-2) unstable; urgency=medium . * Cherry-pick upstream patch fixing CVE-2026-34095 mitigation * Refresh patches mediawiki (1:1.43.8+dfsg-1) unstable; urgency=medium . * New upstream version 1.43.8, fixing CVE-2026-5266, CVE-2026-34086, CVE-2026-34087, CVE-2026-34088, CVE-2026-34091, CVE-2026-34092, CVE-2026-34093, CVE-2026-34094, CVE-2026-34095. This version is not affected by CVE-2026-34089, CVE-2026-34090. mesa (25.0.7-2+deb13u1) trixie; urgency=high . * Non-maintainer upload by the LTS Team. * Backport patch for CVE-2026-40393: - backport support function STACK_ARRAY, cherry-pick file from upstream. - backport commits fixing the issue miniupnpd (2.3.9-2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-5720: integer underflow in SOAPAction header parsing (Closes: #1134334) mistral (20.0.0-2+deb13u1) trixie-security; urgency=medium . * CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution. Applied upstream patches: - Restrict publicize policies to admin only - Remove unnecessary expect_errors=True from policy tests - Add code_sources publicize policy and enforcement - Restrict code_sources and dynamic_actions policies to - Add dynamic_actions publicize policy and enforcement - Add workbooks publicize policy and enforcement - Add cron_triggers publicize policy and enforcement - Add environments publicize policy and enforcement (Closes: #1138843) * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). modsecurity (3.0.14-1+deb13u1) trixie; urgency=medium . [ Ervin Hegedus ] * Add fixes for CVE-2026-30923 and CVE-2026-42268 mutt (2.2.13-1+deb13u1) trixie; urgency=medium . * CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862 CVE-2026-43863 CVE-2026-43864 (Closes: #1135699) mxml (3.3.1-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328) mxml (3.3.1-1+deb13u1~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm. . mxml (3.3.1-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328) nagios4 (4.4.6-4.1+deb13u1) trixie-security; urgency=high . * CSRF Security Fix backported from upstream 4.5.12 commit e5ed38e53a5d65721520c7c67be0746d63da28cb (cgi/cmd.c and html/index.php.in). See https://www.nagios.com/security-disclosures/nagios-core/4-5-12/ for the upstream disclosure. No CVE assigned. Closes: #1136340. * This can break third party integrations that POST to cmd.cgi without first setting NagFormId (the CSRF check fails). Upstream PR 1055 has been added as a workaround - see README.Debian. nbconvert (7.16.6-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-39377: Arbitrary File Write via Path Traversal in Cell Attachment Filenames (Closes: #1134889) * CVE-2026-39378: Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding (Closes: #1134890) netatalk (4.2.3~ds-1+deb13u2) trixie-security; urgency=high . [ Daniel Markstedt ] * add patch that fixes: CVE-2026-44047 CVE-2026-44048 CVE-2026-44049 CVE-2026-44050 CVE-2026-44051 CVE-2026-44052 CVE-2026-44054 CVE-2026-44055 CVE-2026-44057 CVE-2026-44060 CVE-2026-44062 CVE-2026-44064 CVE-2026-44066 CVE-2026-44068 CVE-2026-44076 CVE-2026-45354 CVE-2026-45355 CVE-2026-45356 CVE-2026-45698 CVE-2026-45699 neutron (2:26.0.3-0+deb13u2) trixie-security; urgency=medium . * New upstream point release. * Removed patches applied upstream: - Add_state_reporting_back_to_metadata_agents.patch - Fix_LoopingCallBase_argument_issue.patch * Add start-time=%t in neutron-api-uwsgi.ini. * Add haproxy as runtime depends of neutron-ovn-agent. Thanks to Sakirnth Nagarasa for the report (Closes: #1135272). * CVE-2026-50266 / OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks. Added upstream patch: Fix port RBAC policies to require network ownership (Closes: #1138844). neutron (2:26.0.0-9+deb13u1) trixie; urgency=medium . * OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags. Added upstream patch: "Fix plural policy names in tagging controller and floatingip policy" (Closes: #1138172). nghttp2 (1.64.0-1.1+deb13u1) trixie-security; urgency=medium . * Non-maintainer upload by the Security Team. * CVE-2026-27135 (Closes: #1131369) Fix missing iframe->state validations to avoid assertion failure. * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b) nginx (1.26.3-3+deb13u7) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Upstream: limit header length for HTTP/2 and gRPC (CVE-2026-42055) (Closes: #1140359) * Charset: fixed another rare buffer overread in recode_from_utf8() (CVE-2026-48142) (Closes: #1140361) nginx (1.26.3-3+deb13u6) trixie-security; urgency=medium . * Apply both patches to fix CVE-2026-42946. In the previous version, only one part of the patch was applied, so the fix was incomplete. This really fixes CVE-2026-42946, thanks to charles@debian.org for pointing it out. * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch * d/p/CVE-2026-42946.1.patch add * backport fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx. * d/p/CVE-2026-9256.patch add * backport max_headers directive from upstream nginx. It limits the number of request headers accepted from clients. Fixes remote denial-of-service exploit. And move max_headers from core module to the ngx_http_header_count_module to avoid potential ABI breakage and keep all the 3rd party modules compatible with the new version of nginx without recompilation. A big thanks to Miao Wang for preparing the modification. Fixes TEMP-1138794-BADE22. * d/p/FIX-HTTP2bomb.patch add nginx (1.26.3-3+deb13u5) trixie-security; urgency=medium . * backport changes from upstream nginx, HTTP/3 address spoofing (CVE-2026-40460), buffer overflow in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), resolver use-after-free in OCSP (CVE-2026-40701), buffer overread in the ngx_http_charset_module (CVE-2026-42934) * d/p/CVE-2026-40460.patch add * d/p/CVE-2026-42945.patch add * d/p/CVE-2026-42946.patch add * d/p/CVE-2026-40701.patch add * d/p/CVE-2026-42934.patch add node-shell-quote (1.7.4+~1.7.1-1+deb13u1) trixie-security; urgency=medium . * Team upload * Validate object-token shapes (Closes: #1137372, CVE-2026-9277) node-shell-quote (1.7.4+~1.7.1-1+deb12u1) bookworm-security; urgency=medium . * Team upload * Validate object-token shapes (Closes: #1137372, CVE-2026-9277) nss (2:3.110-1+deb13u3) trixie; urgency=medium . * Non-maintainer upload. * improve handling of escape sequences in pk11uri_ParseAttributes (CVE-2026-12318) nss (2:3.110-1+deb13u2) trixie-security; urgency=medium . * CVE-2026-6766 * CVE-2026-6767 * CVE-2026-6772 ojalgo (55.0.0+ds-1+deb13u1) trixie; urgency=medium . * Team upload. * Use a simplified salsa-ci.yml for trixie. * Backport upstream and Debian fixes from 56.2.1-3. Closes: #1140433. okular (4:25.04.2-1+deb13u1) trixie-security; urgency=medium . * Multiple security issues in parsing Fax files opencc (1.1.9+ds1-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-15536: Out-of-bounds read (Closes: #1126286) openjpeg2 (2.5.3-2.1~deb13u2) trixie-security; urgency=medium . * CVE-2026-6192 (Closes: #1133832) openslide (3.4.1+dfsg-7+deb13u1) trixie; urgency=medium . * CVE-2026-48977.patch: new: fix CVE-2026-48977. The change lacks attempt to apply the test case, because the binary representation of a newly introduced test file is not possible in the patch. (Closes: #1140003) openssl (3.5.6-1~deb13u2) trixie-security; urgency=medium . * CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion") * CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption") * CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing") * CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys") * CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged Messages") * CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler") * CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet handling") * CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS Decryption") * CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue Decryption") * CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()") * CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate") * CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q") * CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path") * CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes") * CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()") openvpn (2.6.14-1+deb13u3) trixie-security; urgency=high . * Cherry-pick upstream security patches from the 2.6.21 release - CVE-2026-12996: Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets - CVE-2026-13117: Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence of dynamic tls-crypt control-channel packets - CVE-2026-13122: Fix server crash on reception of suitably malformed auth-token, if --auth-gen-token external-auth is active - CVE-2026-12932: Fix memory-leak in tls-crypt-v2 client key handling that could lead to out-of-memory situations and subsequent server crashes - CVE-2026-11771: Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. - CVE-2026-13698: Fix another memory leak on reception of suitable tls-crypt-v2 packets that could lead to an out of memory situation and server crash openvpn (2.6.14-1+deb13u2) trixie-security; urgency=medium . * Cherry-pick upstream security patches - CVE-2026-40215: fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances - CVE-2026-35058: fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key pdns (4.9.16-0+deb13u1) trixie-security; urgency=medium . * New upstream version 4.9.16, fixing security issue CVE-2026-42005. pdns (4.9.15-0+deb13u1) trixie-security; urgency=medium . * New upstream version 4.9.15, fixing security issues CVE-2026-42000, CVE-2026-42001, CVE-2026-42002, CVE-2026-42396. pdns-recursor (5.2.11-0+deb13u1) trixie-security; urgency=medium . * New upstream version 5.2.11, fixing security issues CVE-2026-33612, CVE-2026-40012, CVE-2026-42005, CVE-2026-42390, CVE-2026-42390, CVE-2026-42388, CVE-2026-42387, CVE-2026-52690. php-guzzlehttp-psr7 (2.7.1-1+deb13u1) trixie; urgency=medium . * Backport fixes from upstream - Encode plus sign in withQueryValue() and withQueryValues() (#636) - Harden ServerRequest globals handling (#660) - Normalize global header values (#718) - Reject control characters in URI hosts (#715) [CVE-2026-49214] - Reject malformed Host authorities (#717) [CVE-2026-48998] (Closes: #1138265) * Track debian/trixie branch php-league-csv (9.23.0+dfsg-1+deb13u1) trixie; urgency=medium . * Add upstream patch to fix failing test with PHP 8.4.14+ (Closes: #1137038) php-twig (3.27.0-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Fix sandbox bypass in deprecated internal wrappers [CVE-2026-48805] * Fix sandbox bypass in the "column" filter under SourcePolicyInterface [CVE-2026-48808] * Fix sandbox __toString bypass via Traversable in join/replace filters * Fix sandbox `__toString` bypass via the `in` and `not in` operators [CVE-2026-48807] * Fix sandbox __toString policy bypass via dynamic mapping keys [CVE-2026-48806] * Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders [CVE-2026-46636] * Update CHANGELOG * Prepare the 3.27.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Track debian/trixie branch * Refresh patches * Make phpab tolerant * Update build for related path php-twig (3.26.0-1) unstable; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Update CHANGELOG * Prepare the 3.26.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Use full version with RequiresPhp * Update standards version to 4.7.4 php-twig (3.26.0-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy sandboxing [CVE-2026-24425] * Fix sandbox `__toString` bypasses [CVE-2026-47732] * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628] * Document template_from_string caveats when used in a sandboxed env [CVE-2026-46634] * Document that the sandbox doesn't protect against resource exhaustion [CVE-2026-46627] * Update CHANGELOG * Prepare the 3.26.0 release . [ Alexandre Daubois ] * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639] * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` [CVE-2026-46629] * Fix sandbox bypass: PHP code injection via {% use %} template name [CVE-2026-46633] * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded template [CVE-2026-46638] * Fix sandbox bypass: PHP code injection via _self / import macro reference [CVE-2026-46640] * Fix sandbox bypass in the "column" filter [CVE-2026-46635] . [ Nicolas Grekas ] * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters [CVE-2026-46637] * Pre-escape HTML input on `inline_css` and `inky_to_html` filters * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730] . [ David Prévot ] * Track debian/trixie branch * Refresh patches * Make phpab tolerant * Update build for related path php-twig (3.24.0-1) unstable; urgency=medium . [ Fabien Potencier ] * Add support for renaming variables in object destructuring * Deprecate passing a non-AbstractExpression node to Parser::setParent() * Deprecate passing non AbstractExpression nodes to MatchesBinary * Add getOperatorTokens() to ExpressionParserInterface to separate operator token registration from parser identity * Prepare the 3.24.0 release . [ HypeMC ] * Support short-circuiting in null-safe operator chains . [ Matthias Pigulla ] * Add `html_attr_relaxed` escaping strategy * Add an `html_attr` function to make outputting HTML attributes easier . [ David Prévot ] * Refresh patches * Reorder Files paragraphs in debian/copyright by directory depth * Upgrade upstream signing key to new packet format php-twig (3.23.0-2) unstable; urgency=medium . * Compatibility with recent PHPUnit (13) php-twig (3.23.0-1) unstable; urgency=medium . [ Fabien Potencier ] * Fix spread operator behavior * Add === and !== operators * Add the = assignment operator * Add support for object and mapping destructuring * Update CHANGELOG . [ Ondřej Machulda ] * Fix opcache preload warning for unlinked anonymous class . [ Felds Liscia ] * Add null-safe operator . [ David Prévot ] * Convert d/watch to version 5 * Update build for related path * Update Standards-Version to 4.7.3 php-twig (3.22.2-2) unstable; urgency=medium . * Source-only upload php-twig (3.22.2-1) unstable; urgency=medium . [ Fabien Potencier ] * Update CHANGELOG * Prepare the 3.22.2 release . [ Younes ENNAJI ] * [Core] Fix cycle() with non-countable ArrayAccess+Traversable objects . [ Tac Tacelosky ] * use getShareDir as an indicator of Symfony version . [ Andreas ] * Avoid ord deprecation in PHP 8.5 . [ David Prévot ] * Revert "Require recent php-symfony-intl for changed tests" php-twig (3.22.1-3) unstable; urgency=medium . * [Intl] Update data to ICU 78.1 * Require recent php-symfony-intl for changed tests php-twig (3.22.1-2) unstable; urgency=medium . * Source-only upload php-twig (3.22.1-1) unstable; urgency=medium . [ Fabien Potencier ] * Prepare the 3.22.1 release . [ Javier Eguiluz ] * Allow Symfony 8 packages in Twig extra packages . [ Andreas Erhard ] * Add caution note for random function usage php-twig (3.22.0-2) unstable; urgency=medium . * Source-only upload for testing migration php-twig (3.22.0-1) unstable; urgency=medium . [ Fabien Potencier ] * Fix compatibility layer * Update CHANGELOG . [ Simon André ] * Compile 'index' with repr (not string) in EmbedNode . [ Doeke Norg ] * Update configuration keys + allow extra keys for extensions . [ Vincent Langlet ] * Support two words test guard . [ Nicolas Grekas ] * Fix compatibility with Symfony 8 * Fix accessing arrays with stringable objects as key . [ Christophe Coevoet ] * Avoid errors when failing to guess the template info for an error . [ David Prévot ] * Make phpab tolerant * debian/control: Document nocheck flags php-twig (3.21.1-3) unstable; urgency=medium . * Source-only upload for testing migration php-twig (3.21.1-2) unstable; urgency=medium . * Upload to unstable now that trixie has been released * PHPunit 12 compatibility: additional fixes * Remove Rules-Requires-Root * Fix intl test php-twig (3.21.1-1) experimental; urgency=medium . * Upload to experimental during the freeze . [ Fabien Potencier ] * Introduce operator classes to describe operators provided by extensions instead of arrays * Fix testing and expression when it evaluates to an instance of Markup * Prepare the 3.21.1 release . [ Jérôme Tamarelle ] * Create attributes `AsTwigFilter`, `AsTwigFunction` and `AsTwigTest` to ease extension development . [ David Prévot ] * Update Standards-Version to 4.7.2 php8.4 (8.4.23-1~deb13u1) trixie-security; urgency=high . * New upstream version 8.4.23 + [CVE-2026-14355]: Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD. php8.4 (8.4.22-1) unstable; urgency=medium . * Update the php-fpm-reopenlogs script to not depend on PID file * New upstream version 8.4.22 php8.4 (8.4.21-1) unstable; urgency=medium . * New upstream version 8.4.21 (Closes: #1136054) php8.4 (8.4.21-1~deb13u1) trixie-security; urgency=high . * New upstream version 8.4.21 + [CVE-2026-7263]: Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS() + [CVE-2026-29078, CVE-2026-29079]: Upgrade to lexbor v2.7.0 + [CVE-2026-6735]: XSS within status endpoint + [CVE-2026-7259]: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() + [CVE-2026-6104]: Out-of-bounds access in mbfl_name2encoding_ex() + [CVE-2025-14179]: SQL injection via NUL bytes in quoted strings + [CVE-2026-6722]: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map + [CVE-2026-7261]: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION + [CVE-2026-7262]: Broken Apache map value NULL check + [CVE-2026-7568]: Signed integer overflow of char array offset + [CVE-2026-7258]: Consistently pass unsigned char to ctype.h functions php8.4 (8.4.20-1) unstable; urgency=medium . * New upstream version 8.4.20 php8.4 (8.4.16-1) unstable; urgency=medium . * Add preliminary LiteSpeed SAPI support * New upstream version 8.4.16 + [CVE-2025-14180]: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). + [CVE-2025-14178]: Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). + [CVE-2025-14177]: Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). pillow (11.1.0-5+deb13u4) trixie; urgency=medium . * Followup fix for CVE-2026-42310 (Closes: #1141330) pillow (11.1.0-5+deb13u3) trixie-security; urgency=medium . * CVE-2026-42308 * CVE-2026-42310 * CVE-2026-42311 poco (1.13.0-6+deb13u1) trixie; urgency=medium . * QA upload. * CVE-2025-6375: Segmentation fault in MultipartStreamBuf (Closes: #1108157) poetry (2.1.2+dfsg-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-34591: Wheel Path Traversal Leading to Arbitrary File Write (Closes: #1132609) poppler (25.03.0-5+deb13u4) trixie; urgency=medium . * Team upload * Fix creation of ill-formed PDF document signatures (Poppler issue #1596) - fixes "Invalid signature time when signing a PDF" (Closes: #1127146) Signatures made with previous versions of Poppler may not be recognized by other applications as valid. poppler (25.03.0-5+deb13u3) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118) (Closes: #1138708) * Make sure regex doesn't stack overflow by limiting it (CVE-2025-43718) (Closes: #1117046) * Check for duplicate entries (CVE-2025-52885) (Closes: #1117853) postfix (3.10.11-0+deb13u1) trixie; urgency=medium . * New upstream version 3.10.11, fixing 5 low-impact issues: - Bugfix: null pointer read and heap data overread in the Postfix SMTP client's smtp_dns_reply_filter - Robustness: the Postfix SMTP server will no longer receive (and discard) an unlimited amount of text while receiving a long SMTP command line - Robustness: do not receive (and discard) unlimited amounts of data with BDAT commands - Bugfix: panic (assertion failure and voluntary crash) while parsing a TLSA reply with length 3 - Bugfix: the SMTP client did not xtext_quote a '+' character in a DSN ORCPT parameter value. A strict receiver implementation could reject or discard the parameter value (this has never been reported to happen) postfix (3.10.10-0+deb13u1) trixie; urgency=medium . [ Michael Tokarev ] * keep postfix running during upgrades (Closes: #1120869) * linux7.patch: support building of the source on 7.x kernels . * new upstream stable/bugfix release 3.10.10: - Bitrot: builds with musl libc broke, because they were using an obsolete NO_SNPRINTF code path. - Two fixes for a signed integer overshift condition (a left shift into the sign bit). This "works" on contemporary CPUs, but may break in the future. - Fix an 'uninitialized value' error in the 'collate.pl' script. . * new upstream stable/bugfix release 3.10.9: - Bugfix: The RFC 2047 encoder for the sender "full name" could loop when a very long full_name_encoding_charset value was configured in main.cf. - Bugfix buffer over-read when Postfix an enhanced status code is not followed by other text. For example, "5.7.2" without text after the three-number code. This CANNOT be triggered with an SMTP or LMTP server response; is confirmed with an access(5) table and likely with a policy server response; can possibly be triggered with pipe-to-command output, header_checks(5), body_checks(5), an error(8) transport in transport_maps, or a milter response; and is confirmed with a DNSBL server TXT response while Postfix is configured with "$rbl_code $rbl_text" in rbl_reply_maps or default_rbl_reply. This could result in process termination. (Closes: #1135718, CVE-2026-43964) - Code cleanup: log a fatal error instead of dereferencing a null pointer after a first/next cursor initialization failure. - Portability: support for recent FreeBSD, NetBSD, and OpenBSD versions. - Bugfix: When truncating a database file, the cdb: database client looked at the file size from before requesting an exclusive lock on a database file, instead of the file size after the exclusive lock was granted. - Bugfix: file descriptor leak after fork() failure. - Mistakes in debug logging. - Unchecked null pointer results after an out-of-memory condition in a library dependency. Found by Claude Opus 4.6. The fix is to return an error status or to log a fatal error. - Missing or incomplete guards for ssize_t or int overflow. These limits are unlikely to be exceeded because the size of in-memory objects is limited by design (the number of in-memory objects is also limited). . * new upstream stable/bugfix release 3.10.8: - Improved Milter error handling for messages that arrive over a long-lived SMTP connection. - Fix "posttls-finger -v -v -v" panic and recursive panic. . * new upstream stable/bugfix release 3.10.7: - build fix for modern compilers and standard bool types (already included in debian) . * new upstream stable/bugfix release 3.10.6: - Bugfix: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt". Root cause: support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'. The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. - New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled. - Bugfix: SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin. - Bugfix: segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'. - Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername . [ Aaron Thompson ] * debian-postfix-chroot-cmd.patch: Fix non-ASCII whitespace typo * configure-instance.in: fix typo * d/README.Debian: minor copyediting * Fix some cosmetic typos postfix (3.10.8-1) unstable; urgency=medium . * New upstream version 3.10.8 * Revert "rules: specify -std=gnu17 for CC (#1097639)" (similar solution is adopted upstream) postfix (3.10.6-4) unstable; urgency=medium . * disable chrooting by default finally, after 25 years of everyone suffering. Only limited support for chroot mode will be provided for backwards compatibility. With this in mind, let's close all chroot-related bugs. Closes: #151692, #1084167, #606007, #631665, #714770, #406348, Closes: #1026394, #257096, #278530, #776685, #893516, #935825, Closes: #678808, #896879, #412413, #802043 * yes there's no 3.10.6-3 changelog entry - which was chroot disabling without closing the bugs. postfix (3.10.6-3) unstable; urgency=medium . * disable chrooting by default finally, after 25 years of everyone suffering postfix (3.10.6-1) unstable; urgency=medium . * new upstream stable release: . - Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt". Root cause: support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'. The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. Problem reported by Joshua Tyler Cochran. . - New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled. . - Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin. . - Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'. . - Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername. File: proto/postconf.proto. postfix (3.10.5-3) unstable; urgency=medium . [ Aaron Thompson ] * debian-postfix-chroot-cmd.patch: Fix non-ASCII whitespace typo * configure-instance.in: fix typo * d/README.Debian: minor copyediting * Fix some cosmetic typos . [ Michael Tokarev ] * changelog: fix the Closes: #1120869 line in the previous upload . postfix (3.10.5-2) unstable; urgency=medium . * keep postfix running during upgrades (Closes: #1120869) . Instead of stopping postfix instances before upgrade and starting them after, keep them running during whole upgrade, and restart in one go when finished. . Sometimes during upgrade, old running instance might try to run a new binary which is somehow incompatible with the old instance. Or a new binary try to load old dictionary module and fails. In the worst case, it will cause throttle for this service, but it will be over on restart after upgrade. . But keeping postfix running will make 2 things happen: . 1. In many situations, email will continue working during upgrades; 2. Secondary instances will be restarted automatically too . * d/rules: stop stopping/restarting postfix-resolvconf, since it is pointless postfix (3.10.5-2) unstable; urgency=medium . * keep postfix running during upgrades (#1120869) . Instead of stopping postfix instances before upgrade and starting them after, keep them running during whole upgrade, and restart in one go when finished. . Sometimes during upgrade, old running instance might try to run a new binary which is somehow incompatible with the old instance. Or a new binary try to load old dictionary module and fails. In the worst case, it will cause throttle for this service, but it will be over on restart after upgrade. . But keeping postfix running will make 2 things happen: . 1. In many situations, email will continue working during upgrades; 2. Secondary instances will be restarted automatically too . * d/rules: stop stopping/restarting postfix-resolvconf, since it is pointless postfix (3.10.5-1) unstable; urgency=medium . * new upstream stable release. From the Release Notes: . * Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS policy plugins. . * The existing behavior is to connect to any MX host listed in DNS, and to match the server certificate against any STS policy MX host pattern. . * The corrected behavior is to connect to an MX host only if its name matches any STS policy MX host pattern, and to match the server certificate against the MX hostname. . The corrected behavior must be enabled in two places: in Postfix with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS policy attributes to Postfix. This works even if Postfix TLSRPT support is disabled at build time or at runtime. . * TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend that the TLSRPT policy domain value is equal to the recipient domain. This ignores that different policy types (TLSA, STS) use different policy domains. But this is what Microsoft does, and therefore, what other tools expect. . * Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection reuse logic did not distinguish between sessions that require SMTPUTF8 support, and sessions that do not. The solution is 1) to store sessions with different SMTPUTF8 requirements under distinct connection cache storage keys, and 2) to not cache a connection when SMTPUTF8 is required but the server does not support that feature. . * Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect' command statistics did not count commands with "bad syntax" and "bad UTF-8 syntax" errors. . * Bugfix: the August 2025 patch broke DBM library support which is still needed on Solaris; and the same change could result in warnings with "database X is older than source file Y". . * Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is rolled back to an older version, allow a preliminary 'size' record in maildrop queue files created with Postfix 3.11 or later. . * Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build, because the 'postconf -e' output order for new main.cf entries was no longer deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan. . * To make builds predictable, add missing meta_directory and shlib_directory settings to the stock main.cf file. Problem diagnosed by Eray Aslan. . * Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged an incorrectly-formatted port number. Viktor Dukhovni. postgresql-17 (17.10-0+deb13u1) trixie-security; urgency=medium . * New upstream version 17.10. . + Prevent unbounded recursion while processing startup packets (Michael Paquier) . A malicious client could crash the connected backend by alternating rejected SSL and GSS encryption requests indefinitely. . The PostgreSQL Project thanks Calif.io (in collaboration with Claude and Anthropic Research) for reporting this problem. (CVE-2026-6479) . + Fix assorted integer overflows in memory-allocation calculations (Tom Lane, Nathan Bossart, Heikki Linnakangas) . Various places were incautious about the possibility of integer overflow in calculations of how much memory to allocate. Overflow would lead to allocating a too-small buffer which the caller would then write past the end of. This would at least trigger server crashes, and probably could be exploited for arbitrary code execution. In many but by no means all cases, the hazard exists only in 32-bit builds. . The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and Pavel Kohout for reporting these problems. (CVE-2026-6473) . + Properly quote subscription names in pg_createsubscriber (Nathan Bossart) . The given subscription name was inserted into SQL commands without quoting, so that SQL injection could be achieved in the (perhaps unlikely) case that the subscription name comes from an untrusted source. . The PostgreSQL Project thanks Yu Kunpeng for reporting this problem. (CVE-2026-6476) . + Properly quote object names in logical replication origin checks (Pavel Kohout) . ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and relation names into SQL commands without quoting them, allowing execution of arbitrary SQL on the publisher. . The PostgreSQL Project thanks Pavel Kohout for reporting this problem. (CVE-2026-6638) . + Reject over-length options in ts_headline() (Michael Paquier) . The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb in length, but this was not checked for. An over-length value would typically crash the server. . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6473) . + Guard against malicious time zone names in timeofday() and pg_strftime() (Tom Lane) . A crafted time zone setting could pass % sequences to snprintf(), potentially causing crashes or disclosure of server memory. Another path to similar results was to overflow the limited-size output buffer used by pg_strftime(). . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6474) . + When creating a multirange type, ensure the user has CREATE privilege on the schema specified for the multirange type (Jelte Fennema-Nio) . The multirange type can be put into a different schema than its parent range type, but we neglected to apply the required privilege check when doing so. . The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this problem. (CVE-2026-6472) . + Use timing-safe string comparisons in authentication code (Michael Paquier) . Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking passwords, hashes, etc. It is not known whether the data dependency of those functions is usefully exploitable in any of these places, but in the interests of safety, replace them. . The PostgreSQL Project thanks Joe Conway for reporting this problem. (CVE-2026-6478) . + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart) . For a non-integral result type, PQfn() is not passed the size of the output buffer, so it cannot check that the data returned by the server will fit. A malicious server could therefore overwrite client memory. This is unfixable without an API change, so mark the function as deprecated. Internally to libpq, use a variant version that can apply the missing check. . The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for reporting this problem. (CVE-2026-6477) . + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier) . These applications failed to validate output file paths read from their input, so that a malicious source could overwrite any file writable by these applications. Constrain where data can be written by rejecting paths that are absolute or contain parent-directory references. . The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and Valery Gubanov for reporting this problem. (CVE-2026-6475) . + Guard against field overflow within contrib/intarray's query_int type and contrib/ltree's ltxtquery type (Tom Lane) . Parsing of these query structures did not check for overflow of 16-bit fields, so that construction of an invalid query tree was possible. This can crash the server when executing the query. . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6473) . + Guard against overly long values of contrib/ltree's lquery type (Michael Paquier) . Values with more than 64K items caused internal overflows, potentially resulting in stack smashes or wrong answers. . The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for reporting this problem. (CVE-2026-6473) . + Prevent SQL injection and buffer overruns in contrib/spi (Nathan Bossart) . check_foreign_key() was insufficiently careful about quoting key values, and also used fixed-length buffers for constructing queries. While this module is only meant as example code, it still shouldn't contain such dangerous errors. . The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this problem. (CVE-2026-6637) protobuf (3.21.12-11+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302). * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895). . [ Hlib Korzhynskyy ] * Complete fix of CVE-2024-7254 (closes: #1082381): - add recursion checks and recursion limit, - add tests. . [ Laszlo Boszormenyi (GCS) ] * Fix CVE-2025-4565: data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit (closes: #1108057). psd-tools (1.10.7+dfsg.1-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-27809: Compression module vulnerabilities (Closes: #1129098) pupnp (1:1.14.20-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-41682: SSRF port confusion pymdown-extensions (10.13-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-68142: ReDOS in Figure Capture extension (Closes: #1123672) pyopenssl (25.0.0-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-27448: Unhandled exceptions in set_tlsext_servername_callback callbacks did not cancel connections * CVE-2026-27459: Buffer overflow in DTLS cookie callback pytest-httpbin (2.1.0-1+deb13u1) trixie; urgency=medium . * Team upload. * Disable flaky test. Closes: #1137653. python-daphne (4.1.2-2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-44545: DoS via unbounded WebSocket message sizes * CVE-2026-44546: Header injection on WebSocket upgrade path * (Closes: #1138864) python-django (3:4.2.28-0+deb13u2) stable-proposed-updates; urgency=medium . * The fix for CVE-2025-6069 in the python3.13 source package (released as part of a suite of updates in 3.13.5-2+deb13u2) modified Python's html.parser.HTMLParser class in such a way that changed the behaviour of Django's strip_tags() method. As a result of this change, we update the testsuite here for the newly expected results in order to prevent a build failure. (Closes: #1137039) python-dynaconf (3.1.7-2+deb13u1) trixie; urgency=medium . * CVE-2026-33154 (Closes: #1131476) python-grpc-tools (1.14.1-8+deb13u1) trixie; urgency=medium . * Team upload. . [ Theodore Tucker ] * d/patches: Fix shadowed variable in grpc_tools/command.py (Closes: #1132763) python-handy-archives (0.2.0-5+deb13u1) trixie; urgency=medium . * Fix Zip64 end of central directory locator. (Closes: #1137041) python-idna (3.10-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-45409: DoS from specially crafted inputs (Closes: #1139164) python-iniparse (0.5.1-1+deb13u1) trixie; urgency=medium . * Team upload. * Fix race condition in test_multiprocessing. Closes: #1137634. python-jwcrypto (1.5.6-1.1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . python-jwcrypto (1.5.6-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2026-39373: JWT bomb Attack in deserialize (Closes: #1133006) python-markdown (3.7-2+deb13u1) trixie; urgency=medium . * Adapt to changes in html.parser module in the new Python, backported to Trixie as part of CVE fixes (closes: #1137043). python-marshmallow (3.26.2-0+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * New upstream release. - CVE-2025-68480: DoS with Schema.load(many) (Closes: #1123888) python-marshmallow (3.26.1-0.4) unstable; urgency=medium . * Non-maintainer upload. * Disable useless Salsa CI tests * Drop "Rules-Requires-Root: no": it is the default now * Bump Standards-Version to 4.7.3, drop Priority: tag * Drop unused python3-tz build-dep * Rewrite d/watch in v5 format python-marshmallow (3.26.1-0.3) unstable; urgency=medium . * Non-maintainer upload. * Handle new error message in newer Python (closes: #1123267). python-memray (1.17.0+dfsg-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-32722: XSS in generated HTML reports via unescaped command-line metadata (Closes: #1131372) python-oslo.messaging (16.1.0-3+deb13u1) trixie-security; urgency=medium . * Add fix-not-using-non-durable.patch. * CVE-2026-44393 / OSSN-0096: oslo.messaging does not verify RabbitMQ broker hostname during TLS handshake. Added upstream patch: Fix RabbitMQ TLS hostname verification (Closes: #1138848). python-urllib3 (2.3.0-3+deb13u2) trixie-security; urgency=medium . * CVE-2026-44431 (Closes: #1136653) python-virtualenv (20.31.2+ds-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-22702: Time-of-Check-Time-of-Use Vulnerabilities in Directory Creation (Closes: #1125191) python-webob (1:1.8.10-0+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * New upstream release. - CVE-2026-44889: Location header normalization during redirect leads to open redirect python-webob (1:1.8.9-2) unstable; urgency=medium . * Team upload. * Add debian/salsa-ci.yml * Mark build-deps as !nocheck or !nodoc * Remove redundant Priority: optional from source stanza. * Update lintian override info format . [ Shanavas M ] * Fix test failure (Closes: #1123459) * Bumped standards version to 4.7.4 python-xmltodict (0.13.0-1.1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . python-xmltodict (0.13.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-9375: XML Injection (Closes: #1113825) python-xmltodict (0.13.0-1.1~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm. . python-xmltodict (0.13.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-9375: XML Injection (Closes: #1113825) python3.13 (3.13.5-2+deb13u3) trixie; urgency=medium . [ Stefano Rivera ] * Patches: - Fix a crash in SNI callback when the SSL object is gone. - Fix reference leaks in ssl.SSLContext objects. (Closes: #1138157) - Avoid garbage collecting objects too early when sharing __dict__ (Closes: #1108039) - Update the patch for CVE-2026-6019 to use decodeURIComponent. . [ Moritz Mühlenhoff ] * CVE-2026-1502 * CVE-2026-3276 * CVE-2026-7774 * CVE-2026-8328 * CVE-2026-9669 qemu (1:10.0.11+ds-0+deb13u1) trixie; urgency=medium . * new upstream stable/bugfix release: - Update version for 10.0.11 release - linux-user: Fix AT_PHDR when program headers are relocated into their own segment - hw/pci: Replace assert with bounds check and return - ppc/pnv_phb3: Error out on invalid config access - linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn - linux-user/xtensa: save/restore FP registers across signal delivery - target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status - ui/sdl2: Set GL ES profile before creating initial GL context - hw/9pfs: reject . and .. in Twstat rename - hw/9pfs: fix abort due to illegal name with Twstat rename - gdbstub: Update x86 control register bits - target/i386: apply mod to immediate count of an RCL/RCR operation - hw/uefi: fix parse_hexstr (Closes: CVE-2026-48915) - target/riscv: mask vxrm csrw write to the low 2 bits - disas/riscv.c: fix inst_length() - target/riscv/cpu_helper.c: add PMA access fault - target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val - target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers - disas/riscv.c: add 'cbo' insns to disassembler - target/riscv/csr.c: fix mstatus.UXL reserved value - target/riscv/csr.c: do not allow mstatus MPV/GVA writes - target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault - virtio: Allow to fill a whole virtqueue in order - libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() (Closes: CVE-2026-6425) - libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() (Closes: CVE-2026-6425) - tests/qtest: Add amd-iommu command buffer head wrap test - amd_iommu: Update command buffer head ptr in MMIO region after wraparound - amd_iommu: restrict command buffer head/tail ranges to ring size - linux-user: add preadv2/preadv2 - system/rtc: Fix a possible year-2038 integer overflow problem - linux-user/strace: add fsmount series of syscalls - linux-user: implement fsmount(2) series of syscalls - fpu: Handle all rounding modes in partsN_uncanon_normal - hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet - qed: Don't try to flush during incoming migration - qcow2: Fix data loss on zero write with detect-zeroes=unmap - iotests/046: Test that discard/write_zeroes wait for dependencies - qcow2: Fix corruption on discard during write with COW - qemu-io: Add 'aio_discard' command - virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (Closes: #1139923, CVE-2026-48914) - block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment - s390x/pci: Fix interrupt forwarding disable for interpreted devices - target/s390x: Make container ids in SysIB_15x 1-based - tests/unit: add test-envlist covering setenv/unsetenv name matching - util/envlist: fix prefix-match in envlist_unsetenv() name lookup - 9pfs: fix missing rename lock in v9fs_co_readdir_many (Closes: CVE-2026-48004) - tests/9pfs: add deep absolute path test - tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset - hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors - hw/9pfs: add error handling to v9fs_fix_path() - hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type - hw/9pfs: add NULL check in v9fs_path_is_ancestor() - hw/9pfs: move G_GNUC_PRINTF to header - linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn - linux-user/sh4: restore FP rounding mode on sigreturn - linux-user/sh4: preserve T/M/Q bits across signal delivery - linux-user/mips: save/restore FCSR across signal delivery - linux-user/ppc: restore fp_status from FPSCR on sigreturn - hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match() - hw/net/rocker_of_dpa: Check group ID pointers are not NULL - target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault - target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1 - target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs - target/arm: SVE2 FMAXP, FMINP must honour AH=1 - block/linux-aio: bound ioq_submit() recursion depth - mc146818rtc: Fix get_guest_rtc_ns() overflow bug - apic: fix delivery bitmask with modified xAPIC ids - lsi53c895a: clear tag byte when processing messages - lsi53c895a: fix use-after-free of cancelled request - ui: fix validation of VNC extended clipboard data length (Closes: CVE-2026-8343) - ui/vnc: fix OOB read updating VNC update frequency stats (Closes: CVE-2026-48003) - ui/vnc: fix OOB write in lossy rect worker code (Closes: CVE-2026-48002) - ui/vnc: fix OOB write in VNC stats array (Closes: CVE-2026-48002) - ui/vnc: fix OOB read access in VNC SASL mechname array - target/riscv: clear mseccfg on reset for all dependent extensions - target/riscv: Update the local interrupt mask - target/riscv: Add mseccfg to VMStateDescription - target/riscv: Save stimer and vstimer in CPU vmstate - target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation - target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL - hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen - hw/char: sifive_uart: Avoid infinite delay of async xmit function - target/riscv: Allow mseccfg access based on ext_zicfilp - hw/riscv/riscv-iommu: Fix Svnapot 64KB pages - target/riscv: Update MISA.X for non-standard extensions - target/riscv: Update MISA.C for Zc* extensions qemu (1:10.0.10+ds-0+deb13u1) trixie; urgency=medium . * 10.0.10 upstream stable/bugfix release: - Update version for 10.0.10 release - block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock() - block: Add more defaults to DEFAULT_BLOCK_CONF - block: Create DEFAULT_BLOCK_CONF macro - ide-test: Test reset during TRIM - ide-test: Factor out wait_dma_completion() - ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code - ide: Minimal fix for deadlock between TRIM and drain - block: Add flags parameter to blk_*_pdiscard() - block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE - blkdebug: Add 'delay-ns' option - linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern - linux-user/sh4: Fix target_ucontext tuc_link field type - linux-user: Fix AT_EXECFN in AUXV for symlinked programs - hw/nvme: fix admin cq msix setup - tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist - meson.build: Add -fzero-init-padding-bits=all - hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[] - aspeed/hace: Prevent total_req_len overflow - aspeed/hace: Fix out-of-bounds read in has_padding() - hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies - hw/display/cirrus_vga: Fix packed-24 color-expansion transparent pattern fills - hw/ufs: Keep MCQ SQs alive while requests are outstanding - hw/ufs: Reject zero-depth MCQ queues - hw/ufs: Guard MCQ CQ accesses against missing queues - hw/ufs: Validate MCQ SQ references before use - hw/uefi: check auth.hdr_length minimum size (Closes: CVE-2026-8341) - hw/uefi: avoid possibly unaligned variable_auth_2 struct field access (Closes: CVE-2026-41440) - hw/uefi: verify data size before accessing it in wrap_pkcs7 (Closes: CVE-2026-41439) - hw/uefi: add name_size check to uefi_vars_mm_lock_variable() (Closes: CVE-2026-41438) - hw/uefi: fix ucs2 string helper functions (Closes: CVE-2026-41437) - hw/uefi: verify pio_xfer_offset before calculating buffer checksum (Closes: CVE-2026-41436) - hw/uefi: fix buffer overruns (Closes: CVE-2026-41435) - hw/misc/bcm2835_rng: Specify valid memory access sizes - target/arm: Report IL=0 for Thumb 16-bit BKPT insn - target/microblaze: Fix endianness used to disassemble - hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7 - hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled - hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node - hw/ppc/e500: Move clock and TB frequency to machine class - tests/rcutorture: Fix build error - hw/intc/xics: Add a check for an invalid server id - linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR - linux-user: Allow getsockopt() with NULL optval address - linux-user: Flush errors by using exit() instead of _exit() in error path - linux-user: Add missing CDROM ioctls - target/riscv: Use ELEN for Fractional LMUL check - target/riscv: Don't OR mip.SEIP when mvien is one - target/riscv: Generate access fault if sc comparison fails - riscv_htif: reject invalid signature ranges (end <= begin) - hw/intc: fix heap OOB in ACLINT MTIMER multi-socket - target/riscv: fix stale ptshift and base on page walk restart - hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled - linux-user: Flush errors by using exit() instead of _exit() in error path - linux-user: Use abi_int for imr_ifindex in ip_mreqn struct - linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone - linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW - linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW - linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW - linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands - linux-user/strace: Use pointer type for read and write values - linux-user/arm/nwfpe: Use thread-local storage for qemufpa - linux-user/arm/nwfpe: Replace user_registers with current_cpu - linux-user: Don't define target_stat64 struct for loongarch64 - linux-user: fix off-by-one in host_to_target_for_each_rtattr() - linux-user/ppc: Fix ppc64 rt_sigframe stack offset - hw/sh4/sh7750: Remove forgotten abort() in the MM_ITLB_DATA handler - hw/misc: Fix the valid access size to the avr-power device - migration: vmstate_save_state_v: fix double error_setg - hw/display: don't accidentally autofree existing virgl resources (Closes: CVE-2026-6502) - meson: add missing semicolon in pthread_condattr_setclock test - target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode - target/i386: fix missing PF_INSTR in SIGSEGV context - target/i386: fix strList leak in x86_cpu_get_unavailable_features - target/arm/tcg/translate.c: remove MO_TE usage - ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen) - ui/spice-app: detect runtime directory creation failures - serial COM: windows serial COM PollingFunc don't sleep - util/cutils: Fix heap corruption under Windows - virtio-blk: fix zone report buffer out-of-memory (Closes: CVE-2026-5761) - qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config - hw/uefi: fix heap overflow (Closes: CVE-2026-5744) - virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (Closes: CVE-2026-5763) - util/readline: Fix out-of-bounds access in readline_insert_char() - target/arm: fix fault_s1ns for stage 2 faults - target/arm: do_ats_write(): avoid assertion when ptw failed - bsd-user, linux-user: signal: recursive signal delivery fix - linux-user: Make openat2() use -L for absolute paths - linux-user: update select timeout writeback - linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set - util: fix missing aio_wait sym in qemu guest agent only build - monitor: Fix deadlock in monitor_cleanup - scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable - ide: Fix potential assertion failure on VM stop for PIO read error - ui/vnc-jobs: fix VncRectEntry leak on job cleanup - hw/net/rocker: Avoid double-free of l2_flood.group_ids - lsi53c895a: keep SCSIRequest alive during DMA - lsi53c895a: keep lsi_request alive as long as the SCSIRequest - lsi53c895a: keep lsi_request and SCSIRequest in local variables - lsi53c895a: do not do anything else if a reset is requested by writing ISTAT0 - lsi53c895a: keep a reference to the device while SCRIPTS execute (Closes: #1085299, CVE-2024-6519) - scripts/qemu-guest-agent/fsfreeze-hook: Fix syslog-fallback logic - scripts/qemu-guest-agent/fsfreeze-hook: Avoid use of PIPESTATUS - scripts/qemu-guest-agent/fsfreeze-hook: Avoid bash-isms - hw/nvme: fix heap-buffer-overflow in nvme_abort - hw/nvme: re-enable wzds bit in namespace dlfeat - tcg: Pass host-endian values to plugin_gen_mem_callbacks_* - hw/audio/sb16: validate VMState fields in post_load - block/curl: free s->password in cleanup paths - linux-aio: Resubmit tails of short reads/writes - linux-aio: Put all parameters into qemu_laiocb - hw/dma/pl080: Fix transfer logic in PL080 - linux-user/i386/signal.c: Correct definition of target_fpstate_32 - hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs for error handling - hw/net/ftgmac100: Improve DMA error handling - hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop (Closes: CVE-2026-3890) - rust: suggest passing --locked to "cargo install" - target/riscv: rvv: Fix page probe issues in vext_ldff - target/riscv: rvv: Fix missing flags merge in probe_pages for cross-page accesses - Expand the probe_pages helper function to handle probe flags - block: Drop detach_subchain for bdrv_replace_node - virtio-gpu: fix overflow check when allocating 2d image (Closes: CVE-2026-3886) - io: Fix TLS bye task leak - ppc/pnv: generate dtb after machine initialization is complete - ppc/pnv: fix dumpdtb option - block/mirror: fix assertion failure upon duplicate complete for job using 'replaces' - throttle-group: Fix race condition in throttle_group_restart_queue() - target/i386: fix NULL pointer dereference in legacy-cache=off handling - hw/dma/pl080: Ignore bottom 2 bits of LLI register - hw/dma/pl080: Update interrupts after pl080_run() - hw/dma/pl080: Handle bogus swidth and dwidth in transfers - linux-user: fix mremap with old_size=0 for shared mappings - linux-user: Fix zero_bss for RX PT_LOAD segments - hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug . * 10.0.9 stable/bugfix release: - Update version for 10.0.9 release - hyperv/syndbg: check length returned by cpu_physical_memory_map() (Closes: CVE-2026-3842) - fuse: Copy write buffer content before polling - target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch - target/loongarch: Preserve PTE permission bits in LDPTE - hw/net/npcm_gmac: Catch accesses off the end of the register array - linux-user: fix TIOCGSID ioctl - tests/tcg/multiarch/test-mmap: Check mmaps beyond reserved_va - bsd-user: Deal with mmap where start > reserved_va - linux-user: Deal with mmap where start > reserved_va - hw/net/xilinx_ethlite: Check for oversized TX packets - virtio-gpu: Ensure BHs are invoked only from main-loop thread - block/nfs: Do not enter coroutine from CB - block: Never drop BLOCK_IO_ERROR with action=stop for rate limiting - block/throttle-groups: fix deadlock with iolimits and muliple iothreads - mirror: Fix missed dirty bitmap writes during startup (Closes: #1129349) - block/curl: fix concurrent completion handling - block/vmdk: fix OOB read in vmdk_read_extent() (Closes: #1128478, CVE-2026-2243) - hw/net/smc91c111: Don't allow negative-length packets - io: fix cleanup for websock I/O source data on cancellation - io: fix cleanup for TLS I/O source data on cancellation - io: separate freeing of tasks from marking them as complete - target/i386/hvf/x86_mmu: Fix compiler warning - hw/i386/vmmouse: Fix hypercall clobbers - tests/docker: upgrade most non-lcitool debian tests to debian 13 - hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat for fs synth driver - hw/9pfs: fix data race in v9fs_mark_fids_unreclaim() - target/arm: set the correct TI bits for WFIT traps - hw/ssi/xilinx_spips: Reset TX FIFO in reset - hw/misc/virt_ctrl: Fix incorrect trace event in read operation - virtio-snd: tighten read amount in in_cb (Closes: #1129604, CVE-2026-3195) - virtio-snd: fix max_size bounds check in input cb (Closes: #1129604, CVE-2026-3195) - virtio-snd: handle 5.14.6.2 for PCM_INFO properly (Closes: #1129605, CVE-2026-3196) - virtio-snd: remove TODO comments - virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type (was in virtio-gpu-virgl-Add-virtio-gpu-virgl-hostmem-region.patch) - target/arm: Fix feature check in DO_SVE2_RRX, DO_SVE2_RRX_TB - target/arm: Account for SME in aarch64_sve_narrow_vq() assertion - target/arm: Introduce ARMCPU.sme_max_vq - hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers - docs/about/emulation: Add documentation for hotblocks plugin arguments - contrib/plugins/hotblocks: Print uint64_t with PRIu64 rather than PRId64 - contrib/plugins/hotblocks: Fix off by one error in iteration of sorted blocks - contrib/plugins/hotblocks: Correctly free sorted counts list - contrib/plugins: Fix type conflict of GLib function pointers - python: drop uses of pkg_resources - plugins: fix cross-build using LLVM for Windows targets - s390x/pci: Fix endianness for zPCI BAR values qtmir (0.8.0~git20250407.ea2f477-1+deb13u1) trixie; urgency=medium . * debian/patches: + Add 0009_src-modules-Add-header-for-getpid.patch. Add include for getpid() function. + Add 0002_src-modules-Re-introduce-lost-workaround-for-font-re.patch. Regression fix, fix arbitrary font rendering glitches. (LP:#1583088). + Add 0011_src-platforms-Wrap-window-activity-change-in-a-try-c.patch. Selecting the active window can lead to a range exception, so avoid a crash by wrapping this in a try-catch. + Add 0012_src-modules-Partial-revert-of-e73ef71622ad3202b77bf6.patch. Drop overzealous code when removing a window. + Trivial rebase of 2003_disable-benchmarks.patch. + Add 0022_modules-MirSurface-try-to-let-Mir-forceClose-dead-su.patch. Attempt at forceClosing dead surfaces. + Add 0031a_src-platforms-Select-GLRenderingProvider-based-on-su.patch and 0031b_src-platforms-fix-anonymous-call-for-C-20.patch. Support Lomiri on Asahi Linux. + Add 0033_src-platforms-Do-not-composite-again-on-running-comp.patch. Don't crash when GRID_UNIT_PX is set to other values than 8. Fix scaling support in Lomiri. + Add 0034_src-platforms-Remove-guard-producing-dead-code-use-c.patch. src/platforms: Remove guard producing dead code; use caching instead. + Add 0035_src-platforms-Export-Xwayland-DISPLAY-to-systemd-and.patch. src/platforms: Export Xwayland DISPLAY to systemd and DBus. + Add 1001_do-not-focus-windows-on-touchdown-events.patch. wrappedwindowmanagementpolicy: do not focus windows on touch down events. Otherwise Mir will incorrectly focus the last opened window in Lomiri spread. rauc (1.13-3+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB redis (5:8.0.2-3+deb13u2) trixie-security; urgency=high . * CVE-2025-67733: RESP protocol injection via Lua error_reply. A user could manipulate data read by a connection by injecting CR/LF sequences into a Redis error reply. * CVE-2026-21863: Remote DoS with malformed Cluster bus message. A peer could send a crafted PING/PONG/MEET packet whose gossip count or ping-extension header exceeds the received packet length, causing out-of-bounds reads and a server crash. request-tracker5 (5.0.7+dfsg-4+deb13u3) trixie-security; urgency=high . * Include missing default configuration items for security vulnerability fixes included in 5.0.7+dfsg-3. Namely: RestrictLinkDomains and Cipher in %SMIME. * Apply upstream patch which fixes several security vulnerabilities: - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-44229] Cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-44230] Reflected cross-site scripting on search-results chart pages. - [CVE-2026-44231] Privilege escalation and information disclosure via the REST 2.0 user collection endpoint. A Privileged RT user can obtain authentication credentials belonging to other users, including administrators, and use those credentials to read data via RT's RSS and iCal feed endpoints. The same request that exposes the credentials also rotates them, which invalidates previously-distributed feed URLs across the instance. resource-agents (1:4.16.0-3+deb13u2) trixie; urgency=medium . * debian/patches: fix bash syntax error (Closes: #1133386) rhino (1.7.15.1-0.1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . rhino (1.7.15.1-0.1) unstable; urgency=medium . * Non-maintainer upload. * New upstream release. - CVE-2025-66453: High CPU usage and potential DoS when passing specific numbers to toFixed() (Closes: #1121953) rlottie (0.1+dfsg-4.2+deb13u2) trixie; urgency=medium . * Fix off-by-one error in Fortify-FreeType-raster.patch. * Add Fixed-vpath-potential-issue.patch to fix CVE-2026-47319. (Closes: #1138919) * Add Limit-recursion-in-LOTLayerItem.patch to fix CVE-2026-47320. (Closes: #1138920) * New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305. (Closes: #1139179) * New Fix-heap-buffer-overflow-from-short-truncation.patch. roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high . * New upstream security and bugfix release (closes: #1137507). + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin` via `preg_replace()` backslash escape bypass. + Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add support non quad-dotted IPs and non-decimal fields to d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to match the new upstream behavior. + Fix CVE-2026-48844: Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has now been removed. + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources were not allowed. + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`. + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG . + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of the draft restore dialog. + Fix PHP8 warnings. + Fix potential too long value in IMAP ID command. * Refresh d/patches. roundcube (1.6.15+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1132268). + Fix SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). + Fix regression where mail search would fail on non-ascii search criteria. + Fix regression where some data url images could get ignored/lost. * Refresh d/patches and remove those applied upstream. * d/control: Add Build-Depends: node-source-map. * Improve custom patch to avoid dependency on mlocati/ip-lib: + Trim leading zeros from the decimal representation of IPv4 octets to match GuzzleHTTP's mangling of invalid IP addresses. + Treat IPv4-mapped and IPv4-compatible addresses as belonging to the local range when the v4 address is also local. rsync (3.4.1+ds1-5+deb13u4) trixie; urgency=medium . * Non-maintainer upload. * Import upstream patch to reject overlong HTTP proxy response lines, avoiding a one byte out of bounds stack write when using RSYNC_PROXY. (CVE-2026-45232). rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address several vulnerabilities - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no) - CVE-2026-43617: Authorization bypass via hostname resolution (daemon chroot mode) - CVE-2026-43618: Integer overflow in compressed-token decoder (info disclosure) - CVE-2026-43619: Symlink-race conditions in path-based syscalls - CVE-2026-43620: Out-of-bounds array read in receiver recv_files() * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath rtl-433 (25.02-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2025-34450: Buffer overflow in parse_rfraw() (Closes: #1126178) ruby-css-parser (1.19.0-1+deb13u1) trixie; urgency=medium . * Team upload. * Import upstream patch to stop disabling HTTPS certificate verification when loading remote CSS. (CVE-2026-44312) rust-time (0.3.37-1+deb13u1) trixie; urgency=medium . * Backport upstream fix for CVE-2026-25727 (Closes: #1128404) samba (2:4.22.10+dfsg-0+deb13u1) trixie; urgency=medium . * switch to actual upstream release for the May-2026 security fixes: . * This is a security release in order to address the following defects: . CVE-2026-1933: Missing access checks on reparse point operations On a share marked "read only = yes" and on file handles opened R/O users can set or delete the reparse point xattrs on files that the user has write-access in the file system for. https://www.samba.org/samba/security/CVE-2026-1933.html . CVE-2026-2340: WORM vfs module does not block overwrites The WORM (Write-Once, Read Many) vfs module is supposed to lock write access to shared files, so they cannot be altered after initial writes. It was allowing files to be overwritten by renaming a newly created file over a protected file. https://www.samba.org/samba/security/CVE-2026-2340.html . CVE-2026-3012: auto-enrolment GPO installing CA certificate over http without verification To bootstrap a certificate chain a domain member must fetch a certificate without TLS. It was trusting HTTP for this when a more secure encrypted LDAP channel was also available. https://www.samba.org/samba/security/CVE-2026-3012.html . CVE-2026-3238: Denial of service against AD DC WINS server The WINS server component of the Active Directory Domain controller code in Samba is vulnerable to a NULL pointer dereference and crash caused by an unauthenticated UDP packet. https://www.samba.org/samba/security/CVE-2026-3238.html . CVE-2026-4408: Unauthenticated Remote Code Execution in Samba DCE/RPC SAMR server Samba file servers and classic (non-AD) domain controllers with samba-dcerpcd started as a system service and with a "check password script" that has the %u substitution character are vulnerable to a remote code execution. https://www.samba.org/samba/security/CVE-2026-4408.html . CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing subsystem Samba print servers with a "print command" that has the %J substitution character are vulnerable to a Remote Code Execution. https://www.samba.org/samba/security/CVE-2026-4480.html samba (2:4.22.8+dfsg-0+deb13u2) trixie-security; urgency=medium . * https://bugzilla.samba.org/show_bug.cgi?id=16018 May-2026 samba security update fixing the following issues: CVE-2026-1933: Missing access check on reparse point operations https://bugzilla.samba.org/show_bug.cgi?id=15992 CVE-2026-2340: vfs_worm does not block directory modification https://bugzilla.samba.org/show_bug.cgi?id=15997 CVE-2026-3012: group policy certificate enrollment uses http:// without validation https://bugzilla.samba.org/show_bug.cgi?id=16003 CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server https://bugzilla.samba.org/show_bug.cgi?id=16012 CVE-2026-4480: Unauthenticated Remote Code Execution using print command https://bugzilla.samba.org/show_bug.cgi?id=16033 CVE-2026-4408: Remote Code Execution in SAMR when check password script contains %u substitution placeholder https://bugzilla.samba.org/show_bug.cgi?id=16034 shim (16.1-2~deb13u1) trixie; urgency=medium . * Backport new shim release to trixie + Needed so we have a new shim signed with both Microsoft UEFI Root CAs * Disable NX for the trixie build + We don't have a complete NX boot chain here. * Also switch to using the default version of gcc in trixie shim (16.1-2~deb12u1) bookworm; urgency=medium . [ Steve McIntyre ] * Backport new shim release to bookworm + Needed so we have a new shim signed with both Microsoft UEFI Root CAs * Disable NX for the bookworm build + We don't have a complete NX boot chain here. * Also switch to using the default version of gcc in bookworm shim (16.1-1) unstable; urgency=medium . * New upstream release: 16.1 * Switch to gcc-14 * Drop old patches, no longer needed + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch * Add new patch from upstream: + 0001-Fix-build-with-binutils-2.46.patch. Closes: #1125741 * Add lintian overrides: + Ignore included binaries for unit tests * Bump SBAT revocation level to 2024040900 aka "shim,4\ngrub,4\ngrub.peimage,2\n" * Enable NX for the sid/forky build + We should have a complete NX boot chain now... shim-helpers-amd64-signed (1+16.1+2~deb13u1) trixie; urgency=medium . * Update to shim 16.1-2~deb13u1 shim-helpers-amd64-signed (1+16.1+2~deb12u1) bookworm; urgency=medium . * Update to shim 16.1-2~deb12u1 shim-helpers-amd64-signed (1+16.1+1) unstable; urgency=medium . * Update to shim 16.1-1 shim-helpers-arm64-signed (1+16.1+2~deb13u1) trixie; urgency=medium . * Update to shim 16.1-2~deb13u1 shim-helpers-arm64-signed (1+16.1+2~deb12u1) bookworm; urgency=medium . * Update to shim 16.1-2~deb12u1 shim-helpers-arm64-signed (1+16.1+1) unstable; urgency=medium . * Update to shim 16.1-1 shim-signed (1.51~1+deb13u1) trixie; urgency=medium . * Signed versions of the 16.1-2~deb13u1 shim build for trixie * Update build-dep to use 16.1-2~deb13u1 shim-signed (1.51~1+deb12u1) bookworm; urgency=medium . * Signed versions of the 16.1-2~deb12u1 shim build for bookworm * Update build-dep to use 16.1-2~deb12u1 shim-signed (1.50) unstable; urgency=medium . * Fix up stupid omission in the previous package upload - the changes in 1.49 did not take into account the "SecureBoot enabled" case when adding a default error trap. Closes: #1137098, #1137101. shim-signed (1.49) unstable; urgency=medium . * Make mokutil parsing more robust. Closes: #1137063 + Cope with "Platform is in Setup Mode" message + If we get any other unexpected output, print what we got for debugging. shim-signed (1.48) unstable; urgency=medium . * Add support for verifying and then combining signatures from multiple signed shims. + Existing sbverify versions in Debian are buggy when verifying. + Switch to using a python script verify_combine_sigs to fill in the gaps. * In preinst, try to verify that the signed shim we're trying to install will actually boot on this system - let's not break systems on upgrade. * We now include a dual-signed shim including the 2023 CA. Closes: #1112197 * The shim included is now NX-capable. Closes: #1064102 skanpage (25.04.2-1+deb13u1) trixie; urgency=medium . * CVE-2025-55174 (Closes: #1121443) smartdns (46.1+dfsg-1.1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . smartdns (46.1+dfsg-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2026-1425: Stack buffer overflow in DNS SVCB/HTTPS record parsing (Closes: #1126538) sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-3054: (Closes: #1130878) XSS via manipulation of the argument hint * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix openid validation: Verify that the returned email domain is authorized and that the user exists in the local source. * Add two patches to fix XSS in message subject rendering * Add three patches to fix message rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. spip (4.4.15+dfsg-0+deb13u1) trixie-security; urgency=medium . [ David Prévot ] * Document CVE in previouss changelog entry . [ Matthieu Marcillaud ] * build: Ajout du polyfill PHP 8.5 * build: update dependencies * build: Version 4.4.15 + Fix remote code execution vulnerability in the private space [CVE-2026-8429] + Fix remote code execution vulnerability in the public space that is limited to certain nginx configurations [CVE-2026-8430] spip (4.4.14+dfsg-1) unstable; urgency=medium . [ David Prévot ] * Document CVE in previouss changelog entry * Update mutualisation to 2.0.1 * Update standards version to 4.7.4, no changes needed. . [ Matthieu Marcillaud ] * build: Ajout du polyfill PHP 8.5 * build: update dependencies * build: Version 4.4.14 spip (4.4.13+dfsg-1) unstable; urgency=medium . [ Matthieu Marcillaud ] * build: Version 4.4.13 squid (6.13-2+deb13u2) trixie-security; urgency=medium . * CVE-2026-33515 * CVE-2026-33526 * CVE-2026-47729 * CVE-2026-50012 squirrel3 (3.1-8.2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2021-41556: Sandbox Escape (Closes: #1016212) sshfs-fuse (3.7.3-1.2~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie . sshfs-fuse (3.7.3-1.2) unstable; urgency=high . * Non-maintainer upload. * add contain_symlinks option to prevent symlink escape attacks (CVE-2026-47187) (Closes: #1138293) * reject hostname option injection via bracketed mount source (CVE-2026-48711) (Closes: #1138293) sshfs-fuse (3.7.3-1.2~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm . sshfs-fuse (3.7.3-1.2) unstable; urgency=high . * Non-maintainer upload. * add contain_symlinks option to prevent symlink escape attacks (CVE-2026-47187) (Closes: #1138293) * reject hostname option injection via bracketed mount source (CVE-2026-48711) (Closes: #1138293) starlette (0.46.1-3+deb13u2) trixie-security; urgency=medium . * CVE-2026-48710 (Closes: #1137375) starman (0.4018-0+deb13u1) trixie; urgency=medium . [ gregor herrmann ] * Import upstream version 0.4018. - Fix HTTP request smuggling: Transfer-Encoding now takes precedence over Content-Length per RFC 7230 §3.3.3 (CVE-2026-40560) Closes: #1135229 strongswan (6.0.1-6+deb13u6) trixie-security; urgency=medium . * d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895) swift (2.35.1-0+deb13u2) trixie-security; urgency=medium . * CVE-2026-49017: Swift proxy-server denial of service via truncated s3api chunked upload. Applied upstream patch: "s3api: Error on truncated aws-chunked input" (Closes: #1138170). symfony (6.4.41+dfsg-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Update VERSION for 6.4.41 . [ Nicolas Grekas ] * [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs [CVE-2026-45064] * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077] * [Yaml] Bound recursion depth in the parser [CVE-2026-45133] * [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072] * [Cache] Validate the prefix given to AbstractAdapter::clear() [CVE-2026-45073] * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304] * [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking [CVE-2026-45305] * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] [CVE-2026-46626] * [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient [CVE-2026-48736] * [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS [CVE-2026-48736] * [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs [CVE-2026-48760] * [HtmlSanitizer] Sanitize URL attributes on , ,